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Rationale  for  Concurrent  Verification  and  Partial  Orders 

The  Problem.  Enhancing  the  reliability  of  concurrent  systems  is  an  increas¬ 
ingly  important  and  challenging  problem  for  information  technology  today. 
The  problem  is  more  serious  than  for  sequential  systems  for  two  reasons. 
First,  the  possible  interactions  in  a  computer  network  are  far  more  complex 
than  for  a  traditional  stand-alone  sequential  program.  Second,  one  little 
bug  may  ruin  the  whole  day  not  just  of  an  individual  computer  user  but  an 
entire  community,  many  of  whom  need  not  even  be  directly  involved  with 
computers. 

With  increasing  system  complexity,  whether  concurrent  or  sequential, 
come  increasing  costs  of  system  failure.  The  widespread  outage  of  the  tele¬ 
phone  system  on  the  US  East  coast  in  January  1991  dramatically  testified 
to  the  expensive  havoc  that  one  tiny  programming  error  could  wreak,  as  did 
the  8475  million  Pentium  chip  division  bug,  and  the  recent  $5  billion  crash 
of  the  Ariane  5  rocket. 

Expectations.  It  is  unreasonable  to  expect  to  eliminate  all  errors,  even 
catastrophic  ones,  but  any  improvements  in  software  technology  that  will 
reduce  their  frequency  and  severity  are  well  worth  the  effort.  If  each  $100 
million  invested  in  enhanced  system  reliability  avoided  one  billion- dollar 
catastrophe,  the  rate  of  return  on  this  investment  would  be  a  thousand 
percent  even  without  counting  the  savings  from  the  many  lesser  bugs  that 
would  also  have  been  avoided. 

Given  the  magnitude  of  the  software  reliability  problem,  the  software 
industry  should  not  put  all  its  eggs  in  the  one  basket,  but  instead  aggressively 
explore  all  reasonable  alternatives. 

The  Verification  Option.  One  alternative  that  has  strong  support  from  a 
large  segment  of  the  software  engineering  community  is  verification,  the  ap¬ 
plication  of  logic  to  the  efficient  search  of  the  entire  space  of  possible  behav¬ 
iors.  No  tool  can  hope  for  perfection,  and  logic  is  no  exception.  What  logic 
accomplishes  is  not  the  infallibility  popularly  attributed  to  it,  but  rather 
the  efficient  search  of  combinatorially  large  or  even  infinite  state  spaces  for 
all  the  known  types  of  bugs  in  a  practical  amount  of  time.  No  methodol- 
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ogy  comes  near  the  efficacy  of  logic  in  that  role,  particularly  in  the  case  of 
infinite  search  spaces  where  mathematical  induction  permits  seeking  out  in 
finite  time  every  nook  and  cranny  that  may  hide  a  known  type  of  bug. 

One  weakness  of  logic  is  that  it  cannot  guarantee  to  recognize  bugs  of  a 
kind  not  anticipated  by  the  axioms  of  the  logical  system.  For  this  and  other 
reasons  logic  should  be  viewed  as  just  one  player  on  a  team  whose  overall 
goal  is  improved  reliability.  Logic  has  proved  a  valuable  player  in  this  role 
on  many  documented  occasions,  fully  justifying  its  continued  support  and 
growth. 

Logic  works  best  w  hen  understood  as  a  discipline  for  manipulating  not 
just  symbols  (proof  theory)  but  also  facts  about  some  world  (model  theory). 
To  the  latter  end  one  develops  a  mathematical  model  of  that  world,  and 
evaluates  the  soundness  of  the  proof  system  relative  to  that  model.  The 
model  must  be  faithful  to  the  world,  yet  simple  enough  to  permit  the  logic’s 
soundness  to  be  assessed. 

What  is  concurrency?  A  burning  problem  in  program  verification  today 
is  how  to  model  the  world  of  concurrent  systems.  The  excellent  models  of 
sequential  behavior  that  have  evolved  during  the  past  thirty  years  of  sequen¬ 
tial  program  verification  do  not  adequately  reflect  the  nature  of  a  concurrent 
universe.  Only  when  one  imagines  each  and  every  event  in  the  universe  lining 
up  to  take  its  turn  can  one  confidently  apply  any  of  the  sequential  models. 
A  variety  of  “testing  scenarios”  reveals  situations  where  sequential  models 
yield  a  visibly  wrong  answer  and  hence  an  unsound  logic.  These  scenarios 
have  spurred  interest  in  true  concurrency  as  it  has  come  to  be  called,  namely 
modeling  concurrency  in  a  way  that  is  faithful  to  all  currently  understood 
modes  of  interaction  of  system  components,  particularly  those  beyond  the 
reach  of  sequential  models. 

Two  concurrency  models.  There  are  two  basic  approaches  to  true  con¬ 
currency,  state-based  and  event-based.  The  state-based  approach  as  the 
standard  model  for  sequential  behavior  has  the  advantage  of  familiarity.  In 
this  model,  the  passage  from  sequential  to  concurrent  behavior  is  accompa¬ 
nied  by  an  increase  in  structural  complexity  of  the  transition  system.  The 
basic  additional  structure  required  is  a  higher-dimensional  filling  in  of  the 
spaces  between  the  “commuting  squares”  characteristic  of  the  state  dia¬ 
grams  of  concurrent  systems.  While  this  structure  is  most  simply  realized 
directly  by  geometric  means,  a  number  of  more  or  less  equivalent  ways  of 
achieving  essentially  the  same  effects  have  been  proposed  by  the  concurrency 
community  in  the  past  decade  or  so. 

The  event-based  approach  models  behavior  in  terms  of  occurrence  of 
events.  A  system,  or  any  of  its  components,  is  modeled  as  the  set  of  all  events 
the  system  is  capable  of  performing,  usually  infinite  in  practice.  Pure  con¬ 
currency,  with  no  synchronous  behavior,  interference,  or  other  interaction,  is 
simply  the  set  of  events  itself  with  no  additional  structure.  The  many  ways  in 
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which  system  components  can  interact,  whether  cooperating  synchronously 
(communication),  competing  for  shared  resources  that  forbid  simultaneous 
access  (mutual  exclusion),  or  inhibiting  one  another’s  occurrence  altogether 
(conflict),  are  modeled  by  equipping  the  event  set  with  structure  consisting 
of  constraints  formally  expressing  those  interactions.  Note  the  change  in 
direction  here:  with  states  structure  increases  with  increasing  independence 
while  with  events  it  increases  with  increasing  interaction ,  the  opposite  of 
independence. 

Just  as  physics  needs  both  waves  and  particles  to  model  the  physical 
universe,  so  does  computer  science  need  both  state-based  and  event- based 
models  of  true  concurrency. 

Partial  Orders.  The  focus  of  this  workshop  is  on  the  concurrent  struc¬ 
tures  supporting  the  event-based  approach,  the  basic  such  structure  being 
the  partial  order.  Total  order  semantics  views  each  execution  of  a  concurrent 
system  as  a  sequence  of  events,  where  actions  executed  concurrently  appear 
according  to  some  arbitrary  order.  Partial  order  semantics  allows  events  to 
appear  either  ordered  or  unordered,  disallowing  causality  cycles,  e.g.,  action 
A  happens  before  action  B,  which  happens  before  action  C,  which  happens 
before  A. 

Total  order  semantics,  also  called  interleaving  semantics,  is  traditionally 
considered  easier  to  work  with  as  it  lends  itself  to  simple  representations, 
e.g.,  with  finite  state  machines.  Until  recently  partial  order  semantics  has 
not  been  widely  applied  in  practical  verification  due  to  a  lack  of  maturity  in 
the  methodology  of  its  use  and  a  shortage  of  suitable  tools  for  verification 
based  on  partial  orders. 

Continuing  research  into  partial  order  semantics  has  improved  this  situ¬ 
ation  in  recent  years,  and  the  partied  order  approach  can  now  reasonably  be 
looked  to  as  a  viable  extension  of  total  order  semantics,  Since  total  orders 
are  a  special  case  of  partial  orders,  the  move  to  the  latter  has  freed  verifi¬ 
cation  system  builders  to  employ  new  methods  without  having  to  abandon 
those  sequential  methods  that  have  proved  useful  in  concurrent  verification. 
These  new  methods  are  now  starting  to  show  worthwhile  efficiency  gains  in 
the  exploration  of  state  spaces. 

Doron  Peled,  Vaughan  Pratt,  Gerard  Holzmann 
Murray  Hill,  NJ  and  Palo  Alto,  CA. 
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Abstract 

Prefix  functions  are  thought  as  a  unifying  concept  for  different  ways  of  look¬ 
ing  at  discrete  processes.  The  idea  of  prefix  function  consists  in  establishing 
relations  between  events  and  states;  different  types  of  such  relations  corre¬ 
spond  to  different  ways  of  understanding  states  being  reached  in  the  course  of 
computation.  This  concept  covers  such  concurrent  systems  description  tools 
as  finite  state  automata,  trees,  Petri  Nets,  traces,  occurring  graphs,  vector 
languages,  multi-trees  and  similar.  Special  attention  is  paid  to  operations  of 
contraction  and  synchronization  on  prefix  functions. 

Keywords:  events;  states;  discrete  processes;  concurrency. 


1  Introduction 

The  purpose  of  the  present  paper  is  to  situate  trace  calculus  within  a  broader  context 
of  concurrency  description  tools.  Trace  theory  turns  out  to  be  useful  for  describing 
and  analysing  some  concurrency  phenomena  because  of  its  similarity  to  the  well 
established  and  familiar  theory  of  automata  and  formal  languages  on  one  hand  and 
of  its  ability  to  capture  such  properties  of  concurrent  processes  as  partiality  of  event 
occurrences  ordering.  However,  trace  theory  has  succeded  only  in  a  limited  family 
of  concurrent  systems  that  can  roughly  be  compared  with  cooperating  sequential 
processes;  to  find  its  sound  extension  suitable  for  more  general  models  is  then 
of  primary  interest.  To  this  end,  it  seems  worthwhile  to  look  closier  at  the  basic 
concepts  of  trace  theory,  identify  those  that  can  be  generalized,  and  try  to  adapt 
them  to  a  broader  context. 

Traces  over  an  alphabet  (consisting  of  events  names)  equipped  with  a  depen¬ 
dency  relation  (a  symmetric  and  reflexive  binary  relation  in  it)  arise  by  identification 
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all  strings  over  the  alphabet  that  differ  only  by  order  of  two  consecutive  not  de¬ 
pendent  symbols;  the  result  of  such  an  identification  is  a  trace,  representing  an 
action  composed  of  a  number  of  events,  some  of  them  occurring  independently 
of  other,  or  (equivalently)  a  system  state  reached  after  occurring  these  events.  In 
trace  theory  dependency  relation  defining  the  way  of  state  identification  is  fixed 
for  the  whole  modelled  system;  it  causes  mentioned  above  limitations  of  the  trace 
usage.  In  this  paper  the  state  identification  is  not  restricted  to  that  induced  by 
a  dependency  relation;  instead,  it  is  considered  as  a  tool  that  can  be  tailored  to 
current  needs  of  system  verification:  state  equivalence  useful  for  proving  some 
eventualities  of  system  behaviour  may  be  different  from  that  needed  for  proving 
some  system  invariants.  In  a  system  specification  or  verification,  some  states  can 
be  treated  as  equivalent,  restricting  in  this  way  the  number  of  cases  to  be  analysed; 
in  case  of  concurrent  systems  this  restriction  may  be  quite  serious. 

Labelled  graphs,  like  Pratt’s  pomsets  [9],  or  labelled  posets,  indicating  causal 
relationships  of  (named)  events  offer  another  possibility  of  concurrent  process 
descriptions.  They  can  be  related  to  strings  of  symbols  as  follows:  for  each  string 
w  over  an  alphabet  of  events,  or  elementary  actions,  say  A,  denote  by  7  (w)  the 
graph  defined  recursively:  7(e)  is  the  empty  graph,  7 (wa)  arises  from  the  graph 
j(w)  by  adding  to  it  a  new  node  labelled  with  symbol  a  and  new  arcs  leading  to  it 
from  all  vertices  of  7(w)  labelled  with  symbols  that  a  causally  depends  on.  Thus, 
for  any  prefix-closed  language  L  representing  sequences  of  actions  of  a  concurrent 
process,  function  defined  on  L  assigning  to  each  w  £  L  the  graph  7  (w)  constructed 
as  explained  above  can  be  viewed  as  a  description  of  the  process.  In  this  case  states 
of  a  process  are  determined  by  initial  pieces  of  causally  ordered  histories. 

Yet  another  view  on  states  of  a  process  takes  into  account  only  the  ‘future’  of 
a  process  after  its  partial  execution.  In  this  case  it  does  not  matter  which  is  the 
history  of  the  process  reaching  some  point,  but  only  which  are  the  possibilities 
of  its  continuation.  This  approach  resembles  that  of  automata  theory;  number  of 
states  in  a  process  is  equal  to  the  number  of  different  continuations  of  the  process; 
it  it  is  finite,  then  the  number  of  states  is  finite. 

Looking  at  processes  as  activities  of  a  number  of  sequentially  acting  agents, 
as  in  Hoare  language  [3]  with  the  Shields  theoretical  background  [12],  it  is  quite 
natural  to  define  concurrent  process  as  a  composition  of  sequential  processes. 
This  approach  looks  very  promising  for  at  least  two  reasons:  first,  the  theory  of 
sequential  processes  is  well  elaborated  and  established,  the  second,  it  uses  directly 
compositionality  methods  that  are  especially  valuable  in  dealing  with  multiagent 
systems.  However,  composition  used  in  this  approach  concemes  only  sequential 
processes,  not  accepting  cases  where  single  agents  can  act  in  nonsequential  way; 
applying  basic  concepts  of  this  approach  one  can  expect  a  perfect  tool  for  process 
descriptions. 

Thus,  the  answer  what  is  the  ‘real’  state  of  a  process  depends  on  questions 
concerning  the  process  itself.  Proving  some  eventualities  that  will  occur  during  a 
process  run,  the  notion  of  a  state  may  be  different  from  that  needed  for  proving 


some  invariant  properties  or  estimating  the  time  limit  of  the  process  duration. 
Therefore,  in  this  paper  the  notion  of  a  state  is  not  determined.  The  nature  of  states 
is  irrelevant  for  the  present  purposes;  it  is  convenient  to  abstract  from  their  specific 
properties,  but  to  concentrate  only  on  the  way  they  are  reached  by  the  system.  It 
leads  to  the  concept  of  prefix  functions,  discussed  through  the  paper. 

The  standard  mathematical  notation  is  used  in  the  paper.  The  set  of  all  integers 
is  denoted  by  Z,  and  the  set  of  all  non-negative  integers  by  N.  If  /  is  a  function, 
D(f)  denotes  the  domain  of  /  and  R(f)  the  range  of  /.  Symbol  /  :  A  — y  B 
is  used  to  indicate  that  /  is  a  function  with  domain  A  and  range  contained  in  B. 
If  R(f)  =  B,  f  is  said  to  be  onto  B\  a  one-to-one  function  is  a  bijection.  If 
/  :  A  — y  B,g  :  B  — y  C,  then  fg  :  A  — y  C  denotes  the  composition  of  /  with 
g  defined  by  fg(x)  =  g(f(x))  for  all  x  G  A. 

Any  finite  set  (of  symbols)  is  an  alphabet;  A*  is  the  set  of  all  strings  over  A, 
i.e.  finite  sequences  of  symbols  in  A,  including  e,  the  empty  string.  Any  subset  of 
A*  is  called  a  language  over  A.  If  w  is  a  string,  A  is  an  arbitrary  alphabet,  then 
the  projection  it  a  (w)  of  w  onto  A  is  a  string  arising  from  w  by  erasing  in  w  all 
symbols  not  in  A;  if  L  is  a  language,  tta(L)  is  the  set  of  projections  of  all  strings 
in  L  onto  A.  If  u,v  G  A*,  then  uv  is  the  concatenation  of  strings  u,v,  string  u  is 
a  prefix  of  string  w,  if  there  exists  string  v  with  w  =  uv.  Clearly,  relation  “to  be  a 
prefix  of”  is  a  (partial)  ordering  relation  in  the  set  of  all  strings.  Language  is  prefix 
closed,  if  together  with  a  string  it  contains  all  prefixes  of  this  string.  The  kernel  of 
language  L  is  the  greatest  prefix-closed  language  ker(L)  contained  in  L  \ the  prefix 
closure  of  language  L  is  the  least  prefix  closed  language  Pref(L)  containing  L. 
For  any  string  w  and  symbol  a,  the  number  of  occurrences  of  a  in  w  is  denoted  by 
w(a).  For  any  language  L  and  any  string  w,  the  continuation  of  w  in  L  is  the  set 
9(L,  w)  =  {u  |  wu  G  L}. 

2  Algebraic  tools. 

The  discrete  processes  considered  here  are  assumed  to  be  composed  of  finite  or 
infinite  number  of  event  occurrences;  the  set  of  events,  called  here  alphabet,  is 
assumed  to  be  finite.  In  order  to  build  processes  of  events  a  number  of  algebraic 
means  has  been  applied;  below  some  of  them  are  briefly  presented.  To  make 
possible  their  comparison  the  alphabet  A  of  events  is  fixed  for  what  follows. 

Monoid  of  strings.  Free  monoid  generated  by  alphabet  A,  i.e.  the  algebra 
(A*,  o,  c)  with  composition  (concatenation)  o  and  the  empty  string  e  as  the  neutral 
element,  called  the  monoid  of  strings  over  A,  is  the  basic  algebra  serving  in  the 
sequel  for  defining  others.  This  monoid  will  be  denoted  by  5(A)  in  the  sequel.By 
the  definition  of  freeness,  for  any  other  monoid  (X,  o,  1)  and  any  mapping  /  : 
A  — y  X  there  exists  the  unique  extension  f*  :  A*  — y  X  of  f  such  that 


/*(e)  =  1,  f*{ua)  =  /*(«)  o  f(a). 


As  it  has  been  mentioned  above,  prefixes  of  any  string  are  linearly  ordered. 

Monoid  of  traces.  Let  D  C  A2  be  a  symmetric  and  reflexive  relation,  called 
dependency  relation  in  A  and  let  /D  =  A2  -  D;  symbols  a,  6  are  called  dependent, 
if  ( a,b )  G  D,  and  independent  otherwise.  Let  =d  be  the  least  congruence  in 
monoid  5(A)  such  that 


ab  =£>  ba  (a,  b)  G  Id- 

Then  the  quotient  monoid  5(A)/  =D  denoted  by  T(D)  is  called  the  trace  monoid 
over  D  and  its  elements  traces  over  D  (observe  that  the  relation  D,  as  reflexive, 
determines  alphabet  A).  By  definition  of  quotient  algebras,  T(D)  arises  from  5(A) 
by  identifying  strings  that  differ  only  by  swapping  over  some  adjacent  occurrences 
of  independent  symbols.  As  usual,  [u;]#  denotes  the  equivalence  class  of  string  w 
w.r.  to  the  congruence  =d  (the  trace  determined  by  w);  symbol  [  ]o  denotes  also 
the  homomorphism  :  5 (A)  — >  T(D)  such  that  <f>(w)  =  [«;]£>.  Symbol  T(D) 
will  also  denote  the  base  set  of  the  monoid  of  traces  over  D. 


Figure  1:  The  prefix  structure  of  [abbca]  D  for  D  =  {a,  6}2  U  {a,  c}2. 

By  definition  we  have  [u]D[w]D  =  [uw]D  for  all  u,  w  e  A*;  call  trace  [u]D  a  prefix 
of  trace  [w]d,  if  [u]d[v]d  =  Hd  for  some  trace  [v]d-  In  contrast  to  5(A),  the  set 
of  prefixes  of  a  trace  is  ordered  by  the  prefix  relation  only  partially,  as  it  is  shown 
in  Fig.l. 

A  subset  P  of  T(D)  is  confluent,  if  for  each  traces  t',  t"  €  P  there  is  a  trace 
t  G  P  such  that  t'  as  well  as  t"  are  prefixes  of  t. 

Shields  algebras.  Let  A  =  (Ai ,  A2, . . . ,  An)  be  a  tuple  of  alphabets  such  that 
A  =  (j£Lt  Ai  and  let  D  =  IJ^,  A?;  clearly,  D  is  a  dependency  relation  in  A.  Let 

p(a) = n^.) 

i=l 

be  the  product  of  monoids  5(Ai),  5(A2), . . . ,  S(An),  where  5(At)  =  (A*,  o,  e); 
elements  of  this  monoid,  i.e.  tuples  belonging  to 

A\  x  A*2  x  •  •  •  x  A*n 


are  called  string  vectors.  Let  n  denotes  the  homomorphism  of  5 (A)  to  P(A),  such 
that 

k(w)  =  (n\(w),Tt2(w),...,TrN(w)), 

where  7tt(w)  denotes  the  projection  of  w  onto  A,-,  for  each  i  =  1, 2, . . N  and 
each  w  £  A*.  The  Shields  algebra  over  A  is  the  image  of  S(A)  given  by  tt;  this 
image,  denoted  here  by  V( A),  is  a  subalgebra  of  P(A),  generated  by  the  set  Ao: 

Ao  =  {7r(«)  |  a  €  A). 


Images  of  prefix-closed  languages  over  A  given  by  it  (‘prefix-closed’  subsets 
of  5(A))  are  called  here  Shields  languages.  String  vectors  are  ordered  by  the 
prefix  relation  defined  pointwise:  vector  (ui,u2, .  .  .,wjv)  is  a  prefix  of  vector 
(uq,  W2, ...,  wn),  if  is  a  prefix  of  W{  for  all  i  =  1, 2, . . . ,  N. 


(y) 

{a,  a) 

/  \ 

(ab,  a)  (a,  ac) 

/  \  / 

(abb,  ac)  (ab,  ac) 

* 

(abb,  ac) 

(abba,  aca) 


Figure  2:  The  prefix  structure  of  string  vector  (abba,  aca )  for  A  =  ({a,  b},  {a,  c}). 


The  concept  of  the  monoid  of  string  vectors  as  formulated  above  originates 
in  papers  of  M.W.  Shields  [12].  His  main  idea  was  to  represent  non-sequential 
processes  by  a  collection  of  individual  histories  of  concurrently  running  compo¬ 
nents;  an  individual  history  is  a  string  of  events  concerning  only  one  component, 
and  the  global  history  is  a  collection  of  individual  ones.  This  approach,  appealing 
directly  to  the  intuitive  meaning  of  parallel  processing,  is  particularly  well  suited 
to  CSP-like  systems  [3]  where  individual  components  run  independently  of  each 
other,  with  one  exception:  an  event  concerning  a  number  of  (in  CSP  at  most  two) 
components  can  occur  only  coincidently  in  all  these  components  (‘handshaking’ 
or  ‘rendez-vous’  synchronization  principle).  The  presentation  and  the  terminology 
used  here  have  been  adjusted  to  the  present  purposes  and  differ  from  those  of  the 
author. 

Dependence  graphs  monoid.  Let  D  be  a  dependency  relation  in  A.  Depen¬ 
dence  graphs  over  D  (or  d-graphs  for  short)  are  finite,  oriented,  acyclic  graphs  with 
nodes  labelled  with  symbols  from  A  in  such  a  way  that  two  nodes  of  a  d-graph  are 
connected  with  an  arc  if  and  only  if  they  are  different  and  labelled  with  dependent 


symbols.  Formally,  a  graph  with  the  set  of  nodes  V  labelled  by  <p,  and  with  the  set 
of  arcs  R,  is  a  dependence  graph  (d-graph)  over  D,  iff 

(*>i,  ^2)  €  R  V  (V2,  i>i)  6  R  V  Vi  =  V2  (v?(ni),  <p(v2))  €  D 

for  all  vi,  V2  €  V.  Two  d-graphs  7',  7 "  are  isomorphic,  7'  ~  7",  if  there  exists 
a  bijection  between  their  nodes  preserving  labelling  and  arc  connections.  As 
usual,  two  isomorphic  graphs  are  identified;  all  inherent  properties  of  d-graphs  are 
formulated  up  to  isomorphism.  The  empty  d-graph  (0, 0, 0)  is  denoted  by  A  and 
the  set  of  all  (isomorphism  classes  of)  d-graphs  over  D  by  T(D) . 

The  monoid  G(D )  of  dependence  graphs  over  dependency  D  C  A2  is  the 
monoid  (T(D),o,  A)  generated  by  the  family  {g(a)  |  a  €  A}  of  singleton  graphs, 
where 

g{a)  =  ({a},0,  {(a,  a)}), 

and  with  the  composition  o  defined  as  follows:  the  composition  71  o  72  of  71  with 
72  is  (isomorphic  to)  the  graph  arising  from  disjoint  representations  of  71,72  by 
introducing  new  arcs  leading  from  each  node  of  71  to  each  node  of  72,  provided 
they  are  labelled  with  dependent  symbols.  It  is  easy  to  prove  that  the  composition 
of  d-graphs  is  a  d-graph  again  and  that  the  composition  operation  is  associative, 
with  A  as  the  neutral  element.  It  turns  out  that  the  homomorphic  extension  of  the 
mapping  go  :  A  — >  T  to  A*  — >•  T  is  a  homomorphism  of  5(A)  onto  G(D). 


a 


a 


Figure  3:  Dependence  graph  over  D  =  {a,  ft}2  U  {a,  c}2. 

For  a  given  dependence  graph  7,  node  v  of  7  is  a  prececessor  of  another  node 
u  of  7,  if  (v,  u)  is  an  arc  of  7.  Clearly,  all  predecessors  of  a  node  labelled  with 
symbol  a  are  labelled  with  symbols  dependent  on  a.  Any  full  subgraph  of  7  which, 
together  with  a  node,  contains  all  its  predecessors,  is  a  prefix  of  7.  It  turns  out  that 
dependence  graphs  are  partially  ordered  by  the  above  prefix  relation.  Dependence 
graphs  are  thought  as  graphical  representations  of  runs  of  non-sequential  processes 
which  make  explicit  the  ordering  of  action  occurrences  within  compound  actions. 
If  the  dependency  in  A  reflects  the  causal  relationship  among  events  symbolized 
by  elements  of  A,  then  dependence  graphs  are  representations  of  causal  succession 
of  event  occurrences  in  a  process  run. 

It  turns  out  that  for  a  given  dependency  D  and  Id  =  A2  -  D  all  the  three 
monoids:  of  traces,  Shields’  monoid,  and  d-graph  monoid,  can  be  characterized 


as  images  of  the  monoid  of  strings  5(A)  given  by  homomorphisms  <f>  meeting 
conditions: 

<f>(w)  =  (j>(e)  =>  w  =  e, 

(a,  b)  £  Id  =>  <f>(ab)  =  (f>(ba), 

<j>{ua)  =  <j>(v'av")  =>•  cf>(u)  =  <f>(v'v' "), 

<f>(ua )  =  4>(vb)  A  a  ^  b  =>  (a,  6)  G  /£>, 

for  each  a,  b  £  A,  u,  v',  w  £  A*,  v"  £  (A  —  {a})*.  From  the  above  condition 
one  can  prove  all  the  three  monoids  to  be  isomorphic,  hence,  it  is  only  a  matter  of 
taste  which  objects  are  chosen  for  representing  concurrent  processes:  equivalence 
classes  of  strings,  string  vectors,  or  dependence  graphs. 

Monoid  of  multisets.  Free  commutative  monoid  (A®,  +,  0)  generated  by  A 
is  the  multiset  monoid  over  A  (or  the  monoid  of  linear  forms  over  A),  denoted  by 
R(A) .  The  additive  notation  is  used  here  because  of  commutativity  of  +  operation. 
Let  p  :  A*  — >•  A®  be  a  mapping  such  that  p(e)  =  0,  p(a)  =  a  for  a  £  A,  and 
fi(uv)  =  p(u)  +  p(v)  for  all  u,v  £  A*.  Clearly,  p  is  a  homomorphism  of  5(A) 
onto  i?(  A) .  Multiset  2a  +  2b  +  c  is  an  example  of  an  element  of  A® ;  it  is  the  value 
of  fi(abbca).  For  any  multiset  r  and  symbol  a  the  nonnegative  integer  r  (a)  is  called 
the  multiplicity  of  a  in  r.  For  any  multiset  r  we  have  clearly  r  =  YLa^A  r(a)a- 
Multisets  over  an  alphabet  are  pointwise  ordered:  r'  <  r"  iff  r'(a)  <  r"(a )  for  all 
a  £  A;  if  r'  <  r",  we  say  that  r'  is  a  prefix  of  r". 

If  r',  r"  are  multisets  over  A,  then  max(r',  r")  is  the  multiset  r  over  A  such 
that  r(o)  =  max(r'(a),  r"(a))  for  each  a  £  A.  The  set  R  of  multisets  is  confluent, 
if  r',  r"  £  R  implies  max(r',  r")  £  R\  and  is  linear,  if  for  any  multisets  r',  r"  £  R 
either  r'  <  r",  or  r"  <  r'.  The  set  R  of  multisets  is  connected,  if  for  each  r  £  R 
there  exists  a  string  w  £  A*  such  that  p(w)  =  r  and  p(u)  £  R  for  each  prefix  u  of 
w.  Clearly,  any  prefix-closed  set  of  multisets  is  connected,  but  not  the  other  way 
round.  The  following  condition  is  necessary  and  sufficient  for  connectedness  of  R: 

r  £  R  &  r  =  0V  3  r'  £  R,  a  £  A  :  r  =  r'  +  a. 

Define  the  kernel  of  a  set  R  of  multisets  over  A  as  the  least  set  ker(i?)  of  multisets 
such  that 

0  €  R  ^  0  £  ker  (R),  r  £  ker(il)  Ar  +  a€i?=^r  +  a€  ker(i?), 

for  all  r  £  A®,  a  £  A.  Thus,  ker(i?)  is  the  greatest  connected  subset  of  R,  for 
each  RCA®. 

3  Specification  tools. 

Algebraic  tools  described  in  the  previous  section  have  been  developed  in  order 
to  capture  in  a  satisfactory  way  concurrency  phenomena  that  came  out  while 


specifying  and  analysing  non-sequential  systems.  In  particular,  the  partial  order 
of  event  occurrences  during  systems  runs  made  necessary  to  look  for  non-standard 
way  of  describing  processes.  Historically,  the  specifications  of  non-sequential 
systems  became  before  the  rigorous  notions  of  their  behaviour  has  been  proposed. 
Below  we  briefly  describe  some  formal  system  specifications  that  are  inherently 
connected  with  algebraic  tools  given  in  the  previous  section. 

Elementary  net  systems.  Elementary  net  systems  [11,  13]  (presented  here 
with  some  minor  changes)  are  particular  cases  of  Petri  nets,  well  suited  for  many 
applications  and  manageable  using  some  formal  means.  An  elementary  net  system 
is  any  system 

E  =  ( P ,  T,  Pre ,  Post ,  m°) 

where  P,  T  are  finite,  nonempty  sets,  of  places  and  transitions,  and 

Pre  :  P  — »  2T,  Post  :P—+2T,m°C  P, 

are  such  that  T  =  Pre  (P)  U  Post  (P)  (no  isolated  transitions)  and  Pre  (p)  U 
Post  (p)  /  0  for  all  p  6  P  (no  isolated  places). 

Functions  Pre  and  Post  are  extended  to  P  U  T  by  setting 

Pre  (t)  =  {p  |  t  e  Post  (p)},  Post  (f)  =  {p  \  t  G  Pre  (p)}. 

Partial  function  8  :  2P  xT  — >  2P  is  defined  as  follows: 

^(mi,  f)  =  m2  Pre  (£)  C  m\  A  Post  ( t )  C  m2  A  m\  -  Pre  (t)  =  m2  -  Post  ( t ). 

The  sequential  behaviour  of  E  is  then  defined  as  the  partial  function  /?E  : 
T*  — >  2P  defined  recursively: 

/?E(e)  =  m°,  PEiwt)  =  S{Pe(w),  * ) 

for  all  w  6  T*,  t  E  I  .  The  domain  of  /3E  is  the  set  of  execution  sequences  of  E 
and  its  range  is  the  set  of  reachable  markings  of  E.  Obviously,  the  domain  of  /3E 
is  a  prefix-closed  language  over  T. 

Set  Prox  (f)  =  Pre  (t)  U  Post  (t).  Define  in  T  dependency  relation  D  by  the 
equivalence  ( t t")  €  D  &  Prox  {t')  n  Prox  (t")  ±  0.  It  turns  out  that 

w'  =D  w"  =>  ( w '  €  D{(5 E)  w"  €  P(/?E))  A  (3E(w')  =  / 3E{w "). 

Therefore,  from  the  point  of  view  of  reachable  markings,  strings  of  transitions 
equivalent  w.r.  to  the  trace  equivalence  are  also  behaviourally  equivalent.  More¬ 
over,  if  to  each  execution  sequence  w  €  P(/3E)  assigns  trace  [w],  the  prefix 
structure  of  [u/j  exhibits  the  expected  partial  ordering  of  reachable  markings. 
Thus,  it  is  possible  to  define  the  trace  behaviour  of  E  as  a  partial  function 
[/? e]  :  [£>(/?e)]  — ^  2P,  such  that  [/3E]([w:])  =  /?; e(w)<  this  definition  is  cor¬ 
rect  in  view  of  the  implication  above.  Any  confluent  subset  of  the  domain  D([/?E]) 
of  [/3e]  is  a  concurrent  run  of  the  elementary  net  system  E. 


Cooperating  sequential  languages.  Let  A  =  (Ai ,  A2, . . . ,  Ajv)  be  a  tuple  of 
alphabets  and  let  L  =  (Ly,  L2, . . . ,  L^)  be  a  corresponding  tuple  of  prefix-closed 
languages,  Li  C  A*  for  each  i  =  1 , 2, . . . ,  N.  The  concurrent  behaviour  of  system 
L  is  function  (3^  with 

N 

D(P l)  =  ker{w  |  tt(w)  £  H 

i=i 

and  iZ(/?L)  Q  ni^i  Li  such  that  =  7r(w)  for  each  w  £  L>(/?l). 

Place-transition  Petri  Nets.  Any  place/transition  Petri  net  (abbreviated  as 
PT-net)  is  the  system  N, 

N  =  (P,T,F,m°), 

where  P,  T  are  finite,  non-empty,  disjoint  sets  (of  places  and  transitions,  resp.), 
F  :  P  x  T  — »  N,  and  m°  :  P  — >  N  (the  initial  marking).  Any  function 
m  :  P  — >  N  is  called  a  marking  of  net  N ;  the  set  of  all  such  markings  is  denoted 
by  M.  The  value  of  marking  m  for  place  p  is  interpreted  as  the  (instantaneous) 
number  of  ‘tokens’  contained  in  p.  Transition  execution  of  N  is  the  partial  function 
Sfq  :  M  x  T  — >  M  defined  as  follows: 

t)  =  m"  <£>Vp  £  P  :  m"(p)  =  m'(p )  +  F(p ,  t)  >  0 

for  all  m',  m"  £  M,t  £  T.  This  function  assigns  to  marking  m!  and  transition 
t  marking  m"  obtained  from  m'  in  effect  of  the  execution  of  t\  execution  of  t 
is  possible,  if  each  place  p  for  which  F(p,  t)  <  0  (from  which  t  ‘takes’  tokens) 
contains  sufficiently  many  of  them  ( m '  +  F(p,  t)  >  0)  and  the  resulting  number 
of  tokens  in  any  place  after  execution  of  t  is  equal  to  their  previous  number  minus 
the  number  of  tokens  taken  from  this  place  by  t  (if  F(p,  t )  <  0)  plus  the  number 
of  tokens  put  by  t  into  the  place  (if  F(p,  t)  <  0). 

Let  N  be  an  arbitrary  PT-net.  The  marking  behaviour  of  N  is  defined  as  the 
partial  function  :  T*  — >  M  defined  in  a  similar  way  as  in  case  of  elementary 
net  systems: 

0N(e)  =  m0,fa(wt)  =  6{/3n(w),t) 

for  w  £  T*,t  £  T.  Elements  of  D(/3^)  are  called  firing  or  execution  sequences, 
those  of  /2(/?n)  the  reachable  markings.  It  is  clear  that  D(/3-^)  is  a  prefix  closed 
language.  The  sequential  behaviour  of  N  is  the  domain  D(f3 n)  of  the  marking 
behaviour;  for  sake  of  uniformity,  it  will  be  considered  as  the  identity  function  with 
the  domain  D((3 n).  However,  the  sequential  behaviour  itself  is  not  a  sufficient 
tool  to  distinguish  concurrent  runs  of  a  net. 

A  natural  aim  in  exploring  partial  order  behaviour  of  PT-nets  is  to  establish  a 
sort  of  independency  relation  among  transition  ocurrences  and  then  an  equivalence 
between  states  reached  in  effect  of  such  occurrences.  However,  in  contrast  to  ele¬ 
mentary  net  systems,  where  independency  was  fixed  once  for  ever  and  determined 


by  structructure  of  the  net,  independency  between  transitions  in  PT-nets  may  de¬ 
pend  on  the  reached  marking.  It  is  even  not  quite  obvious  whether  independency, 
as  exhibited  by  PT-nets,  leads  to  a  partial  order  of  transition  occurrences  in  a  system 
run.  This  issue  will  be  discussed  further  on;  for  the  time  being  algebra  of  multi¬ 
sets,  as  defined  above,  seems  to  be  a  promising  tool  for  describing  non-sequential 
behaviour  of  PT-nets,  as  explained  below. 

Let  A  be  an  alphabet,  L  C  A®.  Call  L  linearly  definable,  if  there  is  a  function 
k  :  A  U  {e}  — )■  Z  such  that  k(e)  >  0  and 

L  =  {r  6  A®  |  E  k(a)r(a)  +  k{e)  >  0}. 

a£A 

L  is  conjunctive,  if  it  is  an  intersection  of  a  finite  number  of  linearly  definable  sets. 
The  kernel  of  a  conjunctive  set  is  a  multitree  and  any  confluent  subset  of  a  multitree 
is  a  multitrace.  Any  maximal  linear  subset  of  a  multitrace  is  its  (sequential) 
observation.  The  multiset  behaviour  of  a  PT-net  N  =  (P,  T,  F,  m°)  is  defined  by 
means  of  homomorphism  fi  :  A*  — >  A®  applied  to  the  domain  of  its  sequential 
behaviour,  i.e.  as  function  with  the  domain 

D(P'n)  =  ker{u;  €  T*  |  A  (E  F *M*)  +  ™°(p)  >  0)} 

peP  ter 

such  that  P'^{w)  =  fi(w)  for  each  w  6  D(f3^).  It  turns  out  that  R(fi'N)  =  B, 
where 

B  =  ker{r  €  T®  |  A  (E  F (P.  0«(0  +  r°(p)  >  0)}  (1) 

p6P  ter 

and  that  B  is  a  multitree  (recall  that  r(f)  is  the  multiplicity  of  t  in  multiset  r). 
Maximal  multitraces  of  B  can  be  viewed  as  runs  of  N.  In  this  description  B  is 
a  state  space  of  N  and  it  determines  uniquely  all  reachable  markings  of  the  net. 
Let  r  €  B\  then  any  r1  £  B  such  that  r'  <  r  is  an  initial  part  of  a  history  leading 
to  r;  because  of  the  partiality  of  multiset  ordering,  this  description  exhibit  partial 
ordering  of  initial  histories  (or  states)  of  the  net  runs. 

Below  we  give  two  examples  of  PT-nets  Ni ,  AT2  together  with  their  state  spaces 
Pi ,  P2  defined  by  the  multiset  behaviour.  Let 

=  ({  1,2, 3, 4},  {a, b,  c},F,m°) 


where 


P(l,  a)  =  F( 2,  b )  =  F(3,  c)  =  F( 4,  c)  =  -1,  F(4,  a)  =  F( 4, b)=l, 
m°(l)  =  m°( 2)  =  m°(3)  =  1,  m°( 4)  =  0. 


Graphical  representation  of  net  iV)  together  with  its  marking  is  given  below: 


20 — *{6 


0 — *0 — ■0 


Figure  4:  N\ :  an  example  of  PT-net. 


According  to  (1)  the  state  space  of  N j  is  the  following  set  of  multisets: 
B\  =  ker {r  \  r(a )  <  1  A  r(b)  <  1  A  r(c)  <  1  A  r(c)  <  r(a)  +  r(6)}; 


i.e. 

B\  =  {0,  o,  6,  ct  -|-  ct  -|-  Cj  6  +  c,  ct  -|-  6  -f-  c}* 

This  set  is  confluent,  hence  it  represents  the  (only  one)  run  of  the  net.  Graphical 
representation  of  the  ordering  of  multisets  in  B\  is  given  below: 


0 

0  \ 


\  0 
a  +  b 


CL  H~  c 
\ 


b  +  c 
/ 


ci  -j-  b  ~b  c 

Figure  5:  Structure  of  the  state  space  given  by  the  multiset  behaviour  of  Ni . 


Observe  that  no  partial  ordering  of  events  can  describe  the  above  ordering  of 
reachable  markings  (any  multiset  in  P  determines  uniquely  a  marking  of  the 
corresponding  net). 

The  second  example  is  in  a  sense  the  revers  of  the  previous  one;  net  N2  is 
defined  as 

^2  =  ({1)  2, 3,4},  {a,b,c},  F,m°) 

where 


F(l,a)  =  F(2,b)  =  F(4,b)  =  F( 3,  c)  =  F(4,  c)  =  - 1 ,  F(4,  a)  =  1 , 
m°(l)  =  m°(2)  =  m°(  3)  =  m°(4)  =  1 

which  in  the  graphical  form  is  presented  in  Figure  6: 


2GM 


1 

© — 0 


Figure  6:  N2:  another  example  of  a  PT-net. 


The  state  space  of  N2  given  by  the  multiset  behaviour  is 
B2  =  ker{r  |  r(a)  <  1  A  r(b)  <  1  A  r(c)  <  1  A  r(b)  +  r(c)  <  r(a )  +  1}; 
hence, 


B2  =  {0,  a,  b,  c,  a  +  b,  a  +  c,  a  +  b  +  c}. 

This  set  is  not  confluent,  since  {6,  c}  C  B2,  but  max(6,  c)  -  b  +  c  £  B2.  Two 
maximal  confluent  subsets  of  B2,  hence  two  different  runs  of  N2,  are: 

Ri  =  {0,a,c,a+c,6  +  c,a  +  6  +  c},  R2  =  {0,  a,  6,  a  +  c,  b  +  c,  a  +  6+  c}. 
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/  \ 

6  c 


/  \ 
b  a 


\  / 
a  +  b  +  c 


Figure  7:  Structure  of  the  state  space  of  Si  given  by  the  multiset  behaviour. 


4  Prefix  functions 

In  the  previous  section  some  methods  of  non-sequential  systems  behaviour  de¬ 
scription  have  been  given.  There  is  a  similarity  of  all  these  descriptions:  the 
non-sequential  behaviour  of  a  system  has  been  defined  as  a  function  defined  on  a 
prefix-closed  language  over  the  alphabet  of  (elementary)  system  actions  and  with 
values  viewed  as  the  system  states  reached  after  executing  initial  parts  of  a  system 
run.  Thus,  in  the  present  approach  the  most  important  aspects  of  the  behaviour 
concern  the  way  of  assigning  states  to  sequences  of  events  occurrences  rather  than 
the  states  themselves.  In  particular,  for  many  reasons  it  is  useful  to  reduce  the 
number  of  considered  states  by  assigning  the  same  state  to  a  number  of  strings,  and 
thus  identifying  some  sequences.  It  can  be  then  useful  to  unify  all  these  similar 
notions  and  to  find  some  common  features  of  their  construction. 

Let  A  be  an  alphabet.  Any  function  defined  on  a  prefix  closed  subset  of  A*  will 
be  called  here  a  concrete  prefix  function  over  A.  For  any  concrete  prefix  function 
0  the  alphabet  of  <7  is  denoted  by  A(o).  Interpreting  concrete  prefix  functions 
as  descriptions  of  a  discrete  processes,  elements  of  their  alphabets  are  considered 
as  events  (or  actions)  of  the  processes,  elements  of  their  domains  as  all  possible 
execution  sequences  of  the  processes,  and  elements  of  their  ranges  as  (concrete) 
states  of  the  processes. 

Two  concrete  prefix  functions  o\,o2  are  isomorphic:  o\  ~  o2,  if  A(oi)  = 
A(cr2),  D(o\)  =  D(o2),  and  there  exists  a  bijection  <j>  :  R(o\)  — >  R{o2) 
such  that  <T\ <t>  =  o2.  Class  of  all  isomorphic  concrete  prefix  functions  over  A 


is  an  abstract  prefix  function  over  A,  or  simply,  a  prefix  function  over  A.  Thus, 
in  fact,  values  of  prefix  functions  are  known  only  up  to  isomorphisms  of  their 
representations  (members  of  isomorphism  classes). 

There  is,  however,  a  canonical  representation  of  values  of  prefix  functions, 
defined  in  a  standard  way.  Let,  for  any  concrete  prefix  function  o,  =CT  be  the 
equivalence  relation  in  D{o)  such  that  u  =a  v  <=>■  o(u)  —  o(v).  It  is  clear  that  the 
equivalence  =a  is  the  same  for  all  concrete  prefix  functions  isomorphic  to  a;  then 
the  concrete  prefix  function  a  over  A  assigning  to  each  string  w  the  equivalence 
class  [w]CT  of  =a  containing  w: 

o(w)  =  [w]„ 

can  serve  as  a  canonical  representation  of  the  abstract  prefix  function  determined 
by  cr.  On  the  other  hand,  for  any  equivalence  relation  in  a  prefix  closed  subset  of 
A*  there  exists  precisely  one  prefix  function  represented  by  function  assigning  to 
each  string  the  equivalence  class  containing  this  string. 

Two  prefix  functions  are  distinguished  for  any  prefix  closed  domain:  the  identity 
prefix  function,  isomorphic  with  the  identity  function,  and  the  constant  prefix 
function,  isomorphic  with  a  function  assigning  a  constant  value  for  all  strings  in 
its  domain  (notice  here  that,  up  to  isomorphism,  there  is  only  one  constant  prefix 
function). 

Prefix  functions  can  be  viewed  as  a  tool  for  the  discrete  systems  behaviour 
description,  interpretating  their  arguments  as  the  system  actions  sequences  and  their 
values  as  the  resulting  states.  Having  in  mind  the  intended  interpretation  and  using 
prefix  functions  as  models  of  processes,  we  avoid  then  answering  the  question  “what 
are  states”,  defining  only  their  representations;  the  nature  of  states  is  irrelevant 
from  the  point  of  view  of  prefix  functions.  Instead,  from  this  point  of  view  relevant 
is  how  execution  sequences,  or  sequences  of  events,  can  be  identified  without 
losing  essential  features  of  a  system  behaviour.  Thus,  we  are  interested  in  those 
features  of  prefix  functions  that  are  independent  of  their  interpretations;  speaking  of 
abstract  prefix  functions  we  always  use  their  concrete  representations,  remembering 
however  their  abstract  nature.  The  function  assigning  to  each  (initiated)  transition 
sequence  of  a  Petri  net  the  resulting  marking  is  an  example  of  a  prefix  function. 
Another  example  is  related  to  transition  systems  with  a  fixed  initial  state:  a  function, 
assigning  to  each  sequence  of  transitions  its  resulting  state  is  a  prefix  function.  Yet 
another  example  is  the  function  assigning  to  each  string  its  trace  equivalence  class, 
for  a  given  dependency  relation,  and  the  function  assigning  to  each  string  of  symbols 
the  vector  of  its  projections  on  distinguished  subalphabets.  A  common  feature  of 
all  these  functions  is  the  identification  of  sequences  that  are  considered  as  identical 
from  the  state  space  point  of  view. 

For  any  prefix  function  o  over  A  and  each  a  6  A  let  the  transition  relation  of 
a  be  defined  as  follows: 


s'  s"  <£>  3u  €  A*  :  s'  =  o(u),  s”  =  o(ua) 


for  each  s',  s"  €  R{&)  and  a  €  A.  The  step  relation  of  a  is  the  relation  defined 
as 

s'  s"  o  3a  G  A  :  s'  4, 

the  transitive  and  reflexive  closure  —y*  of  the  step  relation  is  the  progress  relation  of 
o.  Clearly,  the  progress  relation  of  any  prefix  function  is  a  quasi-ordering  relation. 
Let  <j  be  a  prefix  function,  -»  be  the  step  relation  of  o.  Prefix  function  o  is  strict, 
if  s>  s"  s'  f-  s"  for  all  s',  s"  G  ff(cr) ;  is  monotone ,  if  — >■*  is  an  ordering  of 
/2(cr),  and  a  is  strictly  monotone,  if  it  is  strict  and  monotone.  If  o  is  monotone 
and  for  each  w  €  D(o)  the  set  {s  |  s  —y*  ct(w)}  is  linearly  ordered  by  — ►*,  then 
o  is  sequential.  In  particular,  the  identity  prefix  function  is  strictly  monotone  and 
sequential. 

Prefix  function  ct  is  additive,  if  the  implication 

o{w')  —  o{w”)  =>  w'(a)  =  w"(a) 
holds  for  all  strings  w  and  symbols  a.  Clearly, 

1 .  Any  additive  prefix  function  is  strictly  monotone. 

Let  L  be  a  prefix  closed  language  over  A.  Prefix  function  a  is  congruent,  if  it 
preserves  continuations,  i.e.  if  for  each  w',  w"  G  D(o) 

cr(w')  =  o(w")  =>  8(D(o),w')  =  Q(D(o),  w "). 

Clearly,  the  identity  is  congruent.  Let  L  be  a  prefix  closed  language;  diagram  of 
the  transition  relation  for  the  prefix  function  defined  by  o(w)  =  0(L,  w )  for  each 
w  e  L  is  the  state  diagram  for  L;  if  the  state  diagram  for  a  language  L  is  finite,  L 
is  regular  (rational). 

2 .  Trace  behaviour  of  any  elementary  net  system  is  a  congruent  and  additive  prefix 
function. 

Some  typical  prefix  functions  used  for  specifying  or  analysis  of  concurrent 
systems  are  listed  below.  In  these  examples  A  is  an  alphabet,  L  C  A*  is  a  prefix 
closed  language,  D  is  a  dependency  relation  in  A. 

•  i(L)  :  L  — y  L  with  t(u;)  =  w  (identity  prefix  function). 

•  td(L)  :  L  — y  T(D)  with  td{w)  =  [w\d  (trace  prefix  function); 

•7 D  ■  L  — y  T(D)  with  7 d{w)  =  go(w)  (d-graph  prefix  function); 

•  tr:L  — >  A\  x  A\  x  -  --x  with  7r(w)  =  (ari  (w),  9r2(ti7>, ....  ttat(w)) 
(vector  prefix  function); 

•  pl  :  L  — y  A®  (multiset  prefix  function); 


•  ©  :  L  — »  2l  such  that  Q(w)  =  9(L,  w)  (continuation  of  w  in  L)  (continu¬ 
ation  prefix  function); 

•  l :  L  — >  Z,  where  l(w)  is  the  length  of  w  (the  length  prefix  function); 

•  For  P  C  L,8  :  L  — >■  {0, 1}  with  S(w )  =  1  w  £  P  (test  prefix  function). 


Prefix  function 

States 

Type  of 

identification 

ordering 

identity 

execution 

sequences 

none 

trace 

execution 

traces 

partial 

commutation 

vector 

equal 

projections 

monotone 

graph 

dependence 

graphs 

isomorphic 

graphs 

multiset 

multisets 

all 

permutations 

continuation 

control 

states 

same 

continuations 

folding 

test 

truth 

values 

subset 

constant 

singleton 

all 

Table  1  A  ‘taxonomy’  of  prefix  functions  w.r.  to  identification  properties. 


5  Contractions  of  prefix  functions 

Let  F  be  a  family  of  prefix  functions  over  a  common  alphabet  with  a  common 
domain.  Let  cr\ ,  oi  be  two  elements  of  F;  we  say  that  <72  is  a  contraction  of  o\  (and 
write  <7 1  >  cr2),  if  there  exists  a  function  ip  such  that  o\ip  =  <72.  Such  a  function 
is  called  a  contraction  of  o\  to  <72.  Strictly  speaking,  any  contraction  is  a  class  of 
equivalent  functions;  for  prefix  functions  <7i ,  <72,  contractions  ip',  ip"  of  <7i  to  <72  are 
equivalent:  ip'  =  ip",  if  there  exists  a  bijection  <p  with 


(T\1p'  —  (T2lp"4>. 


It  is  easy  to  see  that  any  contraction  ip  of  o\  to  <72  has  its  canonical  form  ip,  which 
is  the  contraction  of  cfi  to  <72  defined  by  the  equality 


for  all  w  6  D{&\)  =  D{<J2).  From  the  definition  of  the  canonical  representation 
of  prefix  functions  it  follows  that  the  equivalence  determined  by  prefix  function  o\ 
is  a  refinement  of  that  determined  by  prefix  function  cr2.  Observe  that  the  identity 
mapping  is  a  particular  case  of  contraction. 

Any  two  prefix  functions  over  the  same  alphabet  and  with  a  common  domain 
will  be  called  similar.  Since  any  function  determines  uniquely  an  equivalence 
relation  in  its  domain,  and  all  equivalence  relations  in  any  set  forms  a  lattice,  we 
have  the  following  property  of  prefix  functions: 

3.  A  family  of  similar  prefix  functions  ordered  by  contractions  is  a  complete  lattice 
with  identity  as  the  greatest  and  the  constant  as  the  least  element. 

The  above  property  implies  that  any  prefix  function  is  (isomorphic  to)  a  contraction 
of  identity,  and  can  be  contracted  to  the  constant.  Observe,  as  an  application  of  the 
contraction  ordering,  that  the  continuation  prefix  function  is  the  least  congruent 
prefix  function  over  its  domain. 


^  aba 
ab 

/  aab 
e  —  a  y 


V 


aaa 


Figure  8:  Diagram  of  an  identity  prefix  function. 


a  b  *“  2  cl  -j-  b 

/  / 

0 - -  a - -2a - -3a 

Figure  9:  Multiset  contraction  of  the  prefix  function  in  Fig.  8. 

4.  Contractions  preserve  progress  relation. 

A  special  part  in  the  whole  family  of  prefix  functions  over  A  with  domain 
D  play  monotone  and  congruent  members  of  the  family;  contractions  of  such 
prefix  functions  to  their  state  diagrams  are  called  foldings,  and  the  prefix  functions 
themselves  unfoldings  of  their  own  state  diagrams. 


6  Prefix  functions  synchronization 


One  of  the  most  important  issues  concerning  discrete  systems  is  their  composi- 
tionality.  In  case  of  concurrent  systems  composition  makes  independently  acting 
systems  to  communicate  with  each  other  and  to  synchronize  some  of  their  actions. 
On  the  abstract  level,  composition  of  systems  is  modelled  by  synchronization  of 
prefix  functions.  Synchronization  operation  defined  below  allows  us  to  build  com¬ 
plex  prefix  functions  of  simple  ones,  to  introduce  an  independency  relation  to  the 
join  set  of  events,  and  to  combine  state  spaces  of  components  into  a  single  state 
space.  It  also  enables  to  apply  synchronization  in  the  ‘opposite’  direction,  decom¬ 
posing  complex  system  into  simpler  ones  and  then  making  analysis  and  description 
of  these  systems  easier. 

Let  J  be  a  set  of  indices  and  (A,),ej  be  a  family  of  alphabets  and  let  Li  C  A* 
for  each  i  G  J.  The  language 

&  Li  -  {w  G  ((J  A,)*  I  Vi  €  J  :  iti{w)  G  Li}, 

*'€J  ieJ 

is  called  the  conjunction  of  languages  L,.  In  case  of  J  =  {1,2}  write  L\&.L2 
rather  than  &!g{i,2}£;- 

5 .  Conjunction  of  any  family  of  prefix-closed  languages  is  a  prefix-closed  language. 

Let  (<7,  )t  e  j  be  a  family  of  prefix  functions.  The  synchronization  of  <r,  for  i  G  J 
is  the  prefix  function 

cr  :  &  D(oi)  — >  n  R(?i) 

'Z-J  i£j 

such  that  for  each  w  G  U»gj  and  each  i  e  J 

{<j{w))i  =  t7i(7Ti(w)), 

where  («r(w))i  denotes  the  i-th  component  of  the  tuple  o(w)  being  a  member  of 
the  cartesian  product  n,6  j  R(vi)-  The  synchronization  of  family  {<r,  }t€j  will  be 
denoted  by  ||;6j  a In  case  of  J  =  {1, 2}  write  cr,  ||  <r2  rather  than  ||1=i)2  o%. 

The  idea  of  the  synchronization  defined  above  originates  from  modular  de¬ 
scription  of  Petri  nets  [5]  and  from  string  vectors  of  Shields  [12].  Since  the  domain 
of  the  synchronization  defined  as  above  is  prefix  closed,  we  have  the  following: 

6.  The  synchronization  of  prefix  functions  is  a  prefix  function. 

Since  for  any  sets  Si,  S2,  S3  there  exist  obvious  bijections  from  S|  x  S2  to  S2  x 
Si,  from  {(s,  s)  |  s  G  S}  to  S,  and  from  (Si  x  S2)  x  S3  to  Si  x  ( S2  x  S3) 
meeting  the  required  isomorphism  conditions,  we  have  the  following  property  of 
synchronization  operation: 


7 .  The  synchronization  is  idempotent,  commutative,  and  associative,  i.e.  for  all 
prefix  functions  o.  o\,o2,  03: 


a  ||  a  =  <r, 

°\  II  =  <^2 II  cn, 

(CTI  ||  Of)  ||  O3  =  C\  ||  ( 02  ||  03). 

If  R\  C  S\,R2  C  Sj,  then  the  product  of  R\,R2  is  the  relation  Rx  x  R2  C 
(Si  x  S2)2  such  that 

(s',,S2)(/?i  x  f?2) (s", -s2)  O  A  s'2R2S2. 

From  the  synchronization  definition  it  follows  that 

8.  Progress  relation  of  the  synchronization  is  the  product  of  progress  relations  of 
the  synchronization  components  restricted  to  the  range  of  the  synchronization. 

By  the  definition  of  the  step  relation  of  prefix  functions  and  of  the  synchronization 
operation  we  have: 

9.  Synchronization  of  ( strictly )  monotone  prefix  functions  is  ( strictly )  monotone. 

The  cartesian  product  of  functions  <f>i  :  D\  — y  R\A2  :  D2  — »  R2,  is  the 
function  <£1  x  fi2  :  £>,  x  D2  — >  R{  x  R2  such  that 

{4>\  x  <fo){d\,d2)  =  {<t>\(d\),<i>2{d2)). 

10 .  Synchronization  of  contracted  prefix  functions  is  a  contraction  of  their  synchro¬ 
nization;  more  precisely, 

(Olfil  ||  (72<h)  =  (<T1  ||  cr2){4>\  X  02 ) 

for  all  prefix  functions  cr\,(T2  and  all  contractions  <P\ ,  <i>2. 

The  above  fact  is  crucial  for  a  compositional  approach  to  system  description. 
If  systems  descriptions  are  viewed  as  contractions  of  their  behaviours,  then  by 
the  above  fact  the  behaviour  of  composed  systems  is  the  composition  of  their 
components  behaviours;  and  both:  systems  and  their  behaviours  can  be  represented 
on  arbitrary  level  of  abstraction. 
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Figure  10:  Synchronization  and  contractions. 


According  to  the  above  definition  of  the  synchronization  operation,  synchro¬ 
nization  of  identity  prefix  functions  is,  in  general,  not  sequential.  Moreover,  it 
turns  out  that 

11 .  Any  trace  prefix  function  is  the  synchronization  of  a  finite  number  of  sequential 
prefix  functions. 

It  is  worthwhile  to  compare  the  synchronization  of  identity  prefix  functions  with 
conjunction  of  their  domains.  Let  A\,  A2  be  alphabets,  L\  C  L2  C  A\  be 
prefix-closed  languages;  then  relationship  between  conjunction  and  synchroniza¬ 
tion  is  as  shown  on  the  diagram  below  {it :  (Ai  U  A2)*  — >  A\  x  A\  is  defined  by 
7r(u;)  =  {tt  1  (w),7T2(w))  where  it\,tt2  are  projections  on  A\,  A2,  respectively). 


Figure  11:  Conjunction  and  synchronization. 

Synchronization  of  identity  prefix  functions  is,  in  general,  not  an  identity  prefix 
function  and  can  introduce  an  independency  of  some  actions  (and  hence  convert 
linear  orderings  of  components  into  a  partial  ordering  of  the  synchronization  result); 
this  independency  is  ‘static’,  i.e.  fixed  for  all  possible  runs  of  the  described  system. 
By  the  synchronization  defined  above  it  is  not  possible  to  introduce  a  ‘context- 
sensitive’  concurrency  (depending  upon  the  system  history).  To  be  more  precise, 
let  us  define  so-called  structural  independency.  Let  o  be  a  prefix  function,  a,  b 
be  elements  of  A(o).  We  say  that  a,  b  are  structurally  independent  in  <7,  if  there 
are  prefix  functions  cr',  0"  such  that  0  =  o'  \\  o"  and  a  E  A(o')  -  A(o"),  b  E 
A(o")  -  A(o').  If  a,  b  are  structurally  independent,  then  a  /  6,  and  for  each 
w  E  A{o)* 

wab  6  D(o)  wba  E  D(o)  A  o(wab )  =  o{wba). 

The  trace  independency  is  an  example  of  structural  independency.  There  is,  how¬ 
ever,  another  type  of  independency,  call  it  inner  independency;  say  a  and  b  are  in 
the  inner  independency  relation,  if  for  all  w  E  A* 

wba  E  D(o)  =»  wab  E  D(o)  A  o{wba)  =  o(wab), 
but  for  some  w  E  A* 

wab  E  D{o)  A  wba  £  D{o). 


The  inner  independency  of  transitions  is  typical  for  the  behaviour  of  the 
place/transition  Petri  nets. 


7  Atomic  prefix  functions 


A  prefix  function  is  atomic,  if  it  is  not  the  result  of  synchronization  of  components 
with  different  domains.  Thus,  any  prefix  function  is  either  atomic,  or  it  can  be 
obtained  by  the  synchronization  of  a  number  of  atomic  prefix  functions.  Knowledge 
of  properties  of  atomic  prefix  functions  of  a  family  can  be  extended  to  knowledge 
of  properties  of  all  members  of  the  family.  Here,  we  concentrate  on  families  of 
prefix  functions  that  are  applied  for  descriptions  or  specifications  of  Petri  nets.  In 
particular,  we  shall  seek  for  atomic  prefix  functions  for  some  descriptive  means 
considered  above. 

It  follows  directly  from  the  definition  that  in  atomic  prefix  functions  no  two 
symbols  are  structurally  independent;  thus,  finding  atomic  prefix  functions  allows 
us  to  discuss  the  inner  independency.  It  turns  out  that  even  very  simple  atomic 
prefix  functions  exhibit  inherent  difficulties  of  adequate  description  of  concurrency. 

12.  Every  sequential  prefix  functions  is  atomic. 


Since  in  a  trace  prefix  function  all  independent  symbols  are  structurally  indepen¬ 
dent,  and  because  of  isomorphism  of  trace  prefix  functions.  Shields  prefix  functions, 
and  d-graph  prefix  functions,  we  have  the  following: 

13 .  Every  atomic  trace  prefix  function  is  sequential;  every  atomic  Shields  prefix 
function  has  a  single  component,  and  every  atomic  d-graph  prefix  function  is  a 
graph  of  linear  ordering. 

Let  consider  behaviour  of  PT-nets  and  atomic  prefix  functions  describing  their 
behaviour.  First,  define  the  composition  of  PT-nets  [5].  Let 

N{  =  ( Pi,  T,,  Fu  mi),  N2  =  (P2, T2,  F2,  m2) 
be  PT-nets;  their  composition  is  defined  as  the  PT-net 


Ni  tx)  N2  =  (P!  +  P2,  T,  U  P2,  P,  m) 


where  P\  +  P2  is  the  disjoint  union  of  P\ ,  P2  and  P,  m  are  defined  as  follows  for 
all  p  e  Pi  +  P2,  t  e  lj  U  T2: 


F(p,t ) 

m(p) 


Fi(p,t),  if  p  £  Pi  At  £  T\, 

<  F2(p,t),ifpeP2AteT2, 

0,  if  p  €  Pi  A  t  i  7j  V  p  €  P2  A  t  £  T2, 

f  m(p),  ifpe  Pi, 

\  m2(p ),  ifp€  Pi 


(notice  that  T\  and  Tz  need  not  be  disjoint).  From  the  definition  it  follows  at  once 
that  the  composition  operation  on  PT-nets  is  associative  and  commutative  (under  a 
suitable  isomorphism  of  nets  it  can  be  also  made  idempotent).  This  definition  can 
be  easily  extended  for  any  number  of  components. 

14.  Let  /3 f ,  (3™ ,  (if  be  the  sequential  behaviour,  marking  behaviour,  multiset  be¬ 
haviour,  respectively,  ofN ,  (i=l,2),  and  let  (3s ,  (3m ,  /3®  be  the  sequential  behaviour, 
marking  behaviour,  multiset  behaviour,  respectively,  ofN\  N  Nz-  Then 

ft  II  ft, 
fi?  II  Pi, 

It  proves  soundness  of  the  prefix  functions  synchronization  definition  with  respect 
to  the  composition  of  concurrent  systems  described  by  PT-nets. 

Atomic  multiset  prefix  functions  are  provided  to  define  the  behaviour  of  the 
following  one-place  PT-net  and,  in  contrast  to  the  previous  ones,  may  exhibit  inner 
independency  of  symbols.  The  net  in  Figure  12  is  an  example  of  atomic  PT-net,  or 
producer-consumer  system.  Any  PT-net  can  be  viewed  as  the  synchronization  of 
a  number  of  producer-consumer  systems;  thus,  the  behaviour  of  PT-nets  depends 
upon  the  understanding  of  the  producer-consumer  system  activity.  In  particular, 
having  chosen  a  state  space  for  such  atomic  systems,  the  set  of  states  of  all  PT-nets 
is  the  cartesian  product  of  atomic  sets  of  states. 


Figure  12:  An  atomic  place/transition  net. 


The  behaviour  of  the  above  PT-net,  according  to  the  common  interpretation, 
can  be  described  by  means  of  execution  sequences  and  it  is  given  by  the  identity 
prefix  function  with  the  domain 


n  m 

D  =  ker{u?  €  T*  \  k  +  ^2jiw(ai)  -  kiw(b{ )  >  0}, 

i“  1  1=1 

where  T  =  (J?=i  a«  U  U£Li  (recall  that  w(a)  denotes  the  number  of  occurrences 
of  symbol  a  in  string  w).  However,  this  description  does  not  capture  the  inner 
independency  of  transitions  in  T.  The  multiset  description,  introducing  as  much 


independency  as  possible,  is  given  by  the  contraction  of  i(D)  by  homomorphism 
p  from  T*  to  T® .  The  choice  of  multiset  prefix  function  as  a  mean  of  descrip¬ 
tion  is  here  natural,  since  the  condition  defining  the  above  set  of  strings  depends 
exclusively  on  multiplicity  of  symbols  in  strings,  the  same  for  strings  and  the 
corresponding  to  them  multisets. 

The  behaviour  of  an  arbitrary  PT-net  is  given  by  the  synchronization  of 
atomic  prefix  functions,  constructed  for  each  place  of  the  original  net.  Let 
N  =  (P,  T,  F,  m°)  be  a  PT-net  and  let  for  each  p  €  P  net  Np  =  ({p},Tp,  Fp,  mp) 
be  the  atomic  (i.e.  one-place)  PT-net  with  functions  Fp,  mp  arising  from  F,  m°  by 
their  restriction  to  {p}  x  T  and  {p},  respectively.  By  the  result  quoted  above,  the 
behaviour  of  N  =  ( P ,  T ,  F,  m°)  can  be  obtained  by  the  synchronization  of  the 
behaviours  of  all  its  atomic  (one-place)  nets,  constructed  for  each  p  6  P: 

0N  =llp6P  0NP- 

It  is  worthwhile  to  note  the  simplicity  of  atomic  prefix  functions  describing  the 
behaviour  of  one  place  nets;  interpreting  them  as  producer-consumer  systems, 
production  and  consumption  rates  are  assumed  here  to  be  fixed  and  contribute  to 
the  whole  production  in  a  linear  way.  One  can  imagine  a  theory  of  ‘cooperating’ 
producer-consumer  systems  that  act  acording  to  a  more  general  principle;  such 
system  would  be  e.g.  the  synchronization  of  atomic  prefix  functions  ux  with 
domains 

D(cTi)  =  ker{w  €  A*  \  pi(w )  >  0}, 

where  px  :  A*  — >  Z  is  a  more  general  ‘total  productivity’  function  of  unit 
i,  returning  for  the  activity  sequence  w  of  agents  from  A,-  the  total  balance  of 
produced  and  consumed  items. 

$  Conclusions 

Prefix  functions  thought  as  a  unifying  concept  for  describing  concurrent  processes 
on  different  levels  of  accuracy  have  been  presented.  Sets  of  strings  built  up  from 
elementary  actions  (events)  occurring  in  processes  have  been  taken  as  the  basis 
for  further  transformations.  Prefix  functions  connect  strings  (called  also  execution 
sequences)  with  some  objects  that  can  be  called  states.  States  can  be  chosen 
depending  on  actual  needs;  therefore,  in  prefix  function  approach  the  choice  of 
states  is  left  for  the  user.  From  prefix  functions  point  of  view  states  are  some  abstract 
entities,  determined  by  sets  of  event  sequences  leading  to  them;  interpretation  of 
states  lies  outside  the  prefix  functions  formalism  and  serves  only  as  a  tool  for  states 
identification.  In  the  prefix  function  approach  states  are  nothing  but  classes  of 
equivalent  sequences  of  event  occurrences;  different  prefix  function  descriptions 
of  the  same  system  differ  only  by  the  degree  of  such  sequences  identification. 

From  examples  of  applying  prefix  functions  to  the  behaviour  description  of 
known  systems,  as  Petri  nets,  it  follows  adequacy  of  prefix  functions  as  describing 


tools.  The  stress  has  been  put  upon  two  main  operations  on  prefix  functions  that 
allow  to  construct  new  prefix  functions  of  the  already  defined  ones:  contraction, 
‘squeezing’  a  considered  state  space,  and  synchronization,  introducing  structural 
concurrency  and  enlarging  the  state  space. 
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Elements  of  an  Automata  Theory  Over  Partial  Orders 

Wolfgang  Thomas 


ABSTRACT.  A  model  of  nondeterministic  finite  automaton  over  (finite)  par¬ 
tial  orders  is  introduced.  It  captures  existential  monadic  second-order  logic  in 
expressive  power  and  generalizes  classical  word  automata  and  tree  automata. 
Special  forms,  such  as  deterministic  automata,  are  discussed,  and  logical  and 
algorithmic  properties  are  analyzed,  like  closure  under  complement  and  decid¬ 
ability  of  the  nonemptiness  problem.  These  questions  are  studied  in  the  con¬ 
text  of  different  classes  of  partial  orders,  such  as  trees,  Mazurkiewicz  traces, 
or  rectangular  grids. 


1.  Introduction 

While  automata  over  strings  and  trees  are  a  well-known,  widely  used,  and 
robust  model,  with  many  applications  in  the  specification  and  verification  of  con¬ 
current  programs,  the  area  of  “finite  automata  over  partial  orders”  cannot  be  called 
an  established  subject,  despite  the  fact  that  partial  orders  are  a  natural  domain  for 
the  study  of  concurrency.  A  possible  reason  for  this  is  that  many  properties  of  finite 
automata  which  are  essential  in  logical  or  algorithmic  applications  fail  to  hold  when 
partial  orders  are  considered  as  inputs  (instead  of  strings  or  trees) .  Such  properties 
are:  equivalence  between  the  deterministic  and  the  nondeterministic  model,  closure 
under  operations  like  complementation  or  projection,  characterization  by  natural 
logical  systems  (like  monadic  second-order  logic),  and  decidability  of  the  nonempti¬ 
ness  problem  (in  logical  terms:  satisfiability  problem).  A  possible  remedy  in  this 
situation  is  to  confine  oneself  to  a  narrower  view  of  partial  orders,  for  instance  by 
extracting  only  sets  of  paths  from  partial  orders,  which  brings  back  the  framework 
of  classical  formal  language  theory. 

In  the  present  paper  we  stay  with  proper  partial  orders  as  inputs  of  automata 
and  try  to  set  up  connections  between  such  generalized  automata  and  logical  sys¬ 
tems.  We  suggest  a  model  of  finite  automaton  which  keeps  the  basic  intuitive  idea 
of  nondeterministic  automata  on  words:  It  is  a  device  which  scans  “local  neigh¬ 
bourhoods”  in  a  given  partial  order  while  (nondeterministically)  assigning  states 
to  the  points  of  this  partial  order.  We  show  that  the  details  of  this  idea  can  be 
fixed  in  such  a  way  as  to  allow  a  clear  connection  to  logical  descriptions:  A  set  of 
(finite  and  labelled)  partial  orders  is  recognizable  by  such  a  finite  automaton  iff  it  is 
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definable  in  existential  monadic  second-order  logic  (i.e.,  by  a  sentence  which  begins 
with  a  prefix  of  existential  set  quantifiers,  followed  by  a  first-order  formula).  If  the 
structures  under  consideration  are  even  linearly  ordered  (i.e.,  words)  or  if  they  are 
labelled  trees,  this  result  can  be  sharpened  to  the  well-known  equivalence  between 
automata  and  (full)  monadic  second-order  logic.  So,  regarding  automata  theory  in 
a  general  context,  existential  monadic  second-order  logic  can  be  considered  as  more 
basic  than  unrestricted  monadic  second-order  logic. 

In  the  automata  theoretic  view,  where  the  notion  of  “local  neighbourhood” 
is  essential,  it  is  useful  to  identify  a  (discrete)  partial  order  <  with  an  acyclic 
directed  graph,  taking  as  edge  relation  E  the  minimal  relation  which  generates  by 
its  reflexive  transitive  closure  the  partial  order  <.  (Thus  (u,  v)  E  E  holds  iff  u  and 
v  are  distinct,  u  <  v,  and  there  is  no  w  with  u  <  w  <  v.) 

We  shall  confine  ourselves  to  finite  acyclic  graphs  of  this  form  in  the  present 
paper.  While  the  basic  ideas  are  easily  transferred  also  to  infinite  structures,  some 
additional  difficulties  arise  in  connection  with  logic,  namely  the  choice  of  appro¬ 
priate  acceptance  conditions  in  automata.  It  is  (as  yet)  not  clear  whether  simple 
acceptance  conditions  exist  which  lead  to  a  characterization  of  interesting  logical 
systems  (as,  for  example,  the  model  of  tree  automaton  with  the  Rabin  acceptance 
condition  of  [Rab69]  characterizes  monadic  second-order  logic  over  infinite  labelled 
binary  trees). 

As  it  turns  out,  the  properties  of  automaton  definable  sets  depend  on  the 
particular  class  of  partial  orders  (or  acyclic  graphs)  which  are  allowed  as  inputs. 
Special  cases  of  such  classes  are:  words,  trees,  Mazurkiewicz  trace  graphs,  and 
labelled  rectangular  grids.  We  investigate  two  basic  questions:  Are  the  automaton 
recognizable  sets  closed  under  complement?  When  is  the  nonemptiness  problem 
decidable? 

The  paper  is  structured  as  follows:  In  the  subsequent  two  sections  we  introduce 
the  necessary  terminology  concerning  partial  orders  and  acyclic  graphs,  as  well  as 
the  logical  systems  of  first-order  logic  and  monadic  second-order  logic.  Some  easy 
propositions  are  listed  which  illustrate  the  expressive  power  of  these  logics.  In  a 
section  on  first-order  logic  we  present  the  key  theorem  which  supplies  a  bridge  to 
automata  theory.  It  is  a  classical  result  of  first-order  model  theory,  due  to  Hanf 
[Hnf65],  but  not  well-known  in  the  community  of  theoretical  computer  science. 
Automata  over  acyclic  graphs  are  introduced  in  Section  5.  Some  special  forms  are 
presented,  and  classes  of  partial  orders  are  singled  out  over  which  these  special 
forms  are  no  restriction  (i.e.,  normal  forms  of  automata).  In  Section  6  we  analyze 
the  possibility  of  showing  complementation  lemmas  and  study  the  nonemptiness 
problem.  The  concluding  section  offers  some  directions  for  further  research. 

The  approach  adopted  in  this  paper  is  based  on  ideas  of  [Th91].  Further  results 
which  serve  as  background  have  been  shown  in  [GRST96]  (mostly  concerning 
labelled  rectangular  grids)  and  [PST94]  (concerning  general  acyclic  graphs).  We 
cannot  provide  full  proofs  in  this  short  communication,  but  try  to  give  enough 
information  to  enable  the  reader  to  supply  the  details. 


2.  Partial  Orders  and  Acyclic  Graphs 

As  indicated  in  the  introduction,  we  consider  partial  orders  in  the  form  of 
acyclic  vertex-labelled  and  edge-labelled  directed  graphs.  Usually  we  take  A  as 
label  alphabet  for  vertices  and  B  as  label  alphabet  for  edges  (both  alphabets  are 
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finite).  As  a  relational  structure,  a  graph  is  thus  presented  in  the  form 

G  =  (V,  (Pa)  (■ Eb)beB ) 

where  V  is  the  set  of  vertices,  the  Pa  are  disjoint  subsets  of  V  whose  union  is  V, 
and  the  Et,  are  disjoint  non-reflexive  binary  relations  over  V.  The  edge  set  is  the 
union  E  =  E^.  Thus,  we  consider  a  vertex  v  to  be  labelled  with  letter  a  if 

v  £  Pa ,  and  an  edge  ( u,v )  to  be  labelled  with  letter  b  if  (u,v)  £  E^.  In  the  sequel, 
such  graphs  are  always  assumed  to  be  acyclic  (which  means  that  no  nonempty  path 
exists  from  a  vertex  v  back  to  v).  Hence  one  obtains  a  partial  order  when  forming 
the  reflexive  transitive  closure  E*  of  the  edge  set  E.  We  shall  also  assume  that  E 
is  given  as  minimal  edge  relation  generating  a  partial  order;  this  means  we  exclude 
the  existence  of  an  edge  (it,  v)  in  the  presence  of  a  vertex  w  with  nonempty  paths 
from  u  to  w  and  from  w  to  v.  A  vertex  u  is  called  root  of  a  partial  order  <  if  u  <  v 
for  all  vertices  v ;  in  the  dual  case  (when  v  <  u  holds  for  all  vertices  v)  we  speak  of 
a  co-root . 

A  special  case  of  edge  labelling  is  called  indexing,  namely  when  the  label  al¬ 
phabet  is  a  set  {1, . . .  ,  k}  and  either  the  out-edges  of  each  vertex  are  numbered  by 
1, . . .  ,  i  for  some  i  <  k,  or  the  corresponding  holds  for  the  ingoing  edges  of  each 
vertex.  (We  shall  speak  of  out-edge  indexing,  respectively  in-edge  indexing.) 

Let  us  consider  the  possibility  of  accepting  such  graphs  by  finite-state  devices. 
We  follow  the  intuitive  idea  that  acceptance  is  based  on  a  scanning  process  which 
checks  all  “local  neighbourhoods”  in  the  graph  G  under  consideration.  This  scan¬ 
ning  process  should  associate  (generally  in  a  nondeterministic  way)  states  from  a 
finite  state-set  Q  to  the  vertices  of  G .  Here,  a  minimal  version  of  neighbourhood  is 
given  by  a  vertex  together  with  its  incoming  and  outgoing  edges  and  their  source 
vertices,  respectively  target  vertices.  If  the  acceptor  (or  graph  automaton)  is  hon¬ 
estly  finite,  it  can  distinguish  only  a  fixed  number  of  different  local  neighbourhoods. 
In  order  to  match  this  assumption  on  finite-state  acceptors,  we  allow  only  graphs 
of  bounded  degree  in  a  recognizable  or  definable  set,  i.e.,  graphs  where  for  each 
vertex  v  the  number  of  vertices  u  with  (u,v)  £  E  or  (u,u)  £  E  is  bounded  by  a 
predefined  constant  d.  If  such  a  bound  is  dropped,  non-isomorphic  neighbourhoods 
will  be  confused.  This  more  general  case  could  also  be  handled  in  the  framework 
to  be  developed  below,  but  it  adds  complications  and  distracts  from  the  essential 
points. 

Let  us  list  some  basic  classes  of  graphs  and  associated  partial  orders  which  fall 
under  these  conventions. 

•  Words  over  an  alphabet  A:  These  are  (in  our  case  nonempty)  structures 
({1, . . .  ,  n),  (Pa)a€A>E)  where  n  is  the  length  of  the  word,  1, . . .  ,  n  are  the 
letter  positions,  Pa  collects  the  positions  carrying  letter  a,  and  E  is  the 
successor  relation  on  {!,...  ,  n). 

•  Ordered  labelled  trees :  Taking  the  case  of  binary  trees  as  a  typical  example, 
these  are  graphs  of  the  form  (V",  (Pa)aeA,E u  #2),  where  V  is  the  set  of  tree 
nodes,  the  sets  Pa  are  used  as  for  words,  and  E\,  E2  are  the  two  relations  of 
“first  successor”  and  “second  successor” ,  respectively.  In  the  usual  way,  this 
numbering  of  the  successors  induces  a  “left-to-right  ordering”  on  the  set  of 
leaves. 

•  Dependency  graphs  of  Mazurkiewicz  traces  (cf.  [DR95]):  Here  the  alphabet 
A  is  given  together  with  a  reflexive  and  symmetric  dependency  relation 
D  C  A  x  A.  The  format  of  dependency  graphs  is  the  same  as  for  words, 
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however  E  does  not  necessarily  generate  a  linear  order  but  just  a  partial  one: 
The  edge  relation  E  respects  D  in  the  sense  that  edges  connect  only  vertices 
with  dependent  letters  and  that  any  two  vertices  labelled  by  dependent 
letters  are  connected  by  a  path.  By  reflexivity  of  D,  the  size  of  antichains  in 
dependency  graphs  (subsets  consisting  of  pairwise  unrelated  vertices  in  the 
associated  partial  order)  is  bounded  by  the  size  of  the  alphabet;  we  say  that 
dependency  graphs  have  bounded  antichains. 

•  Rectangular  grids  (“two-dimensional  words” ,  “pictures” ,  cf.  [GRST96]):  In 
this  case,  the  vertices  are  arranged  in  a  two-dimensional  array,  connected  by 
a  horizontal  successor  relation  E\  (“to  the  right”)  and  a  vertical  successor 
relation  E2  (“downwards”).  Thus  the  signature  coincides  with  that  of  binary 
trees. 

•  Mirror  tree  concatenations :  These  are  obtained  by  concatenating  tree  struc¬ 
tures  fi,  si,  1 2,  s2, . . .  ,  tk,  Sk  in  the  following  way  (we  just  consider  the  case 
of  binary  trees):  Each  tj  is  a  binary  tree  as  above,  each  Sj  is  obtained  from 
a  binary  tree  (with  the  same  number  of  leaves  as  in  tj)  by  inverting  the  edge 
directions  (which  makes  leaves  into  “sources”  and  the  root  into  a  “target”), 
and  concatenation  is  carried  out  by  identifying  the  leaves  of  t{  (left  to  right) 
with  the  sources  of  s,-  (right  to  left),  and  identifying  the  target  of  s,-  with 
the  root  of  2,*+1 . 

•  (Acyclic)  graphs  of  bounded  tree-width  k  (cf.  e.g.  [Cou89],  [See92]):  These 
graphs  are  associated  to  trees  by  the  following  condition:  There  is  a  covering 
of  the  vertex  set  by  a  collection  of  vertex  sets  (called  “clusters”  here),  on 
which  an  undirected  edge  relation  R  exists  such  that 

1.  for  each  graph  edge  (u)  v)  there  is  a  cluster  containing  u  and  r, 

2.  the  clusters  together  with  R  define  an  undirected  tree  t , 

3.  each  cluster  C  contains  at  most  k  vertices, 

4.  the  clusters  in  which  a  given  vertex  v  occurs  form  a  connected  subset 
of  the  tree  t. 

In  the  order  of  the  list  above,  we  denote  the  respective  classes  of  acyclic  graphs 
by  Words ,  Trees,  Traces ,  Grids ,  MTreeC,  BTW Graphs. 


3.  Basic  Logics 

In  the  sequel,  words,  trees,  traces,  grids,  and,  in  general,  acyclic  graphs,  are 
considered  as  relational  structures  of  the  forms  above.  This  allows  to  introduce 
logical  definability  notions  in  a  uniform  way.  Here  we  do  this  in  the  framework  of 
monadic  second-order  logic.  Over  graphs  with  the  label  alphabets  A  (for  vertices) 
and  B  (for  edges),  formulas  of  monadic  second-order  logic  involve  variables  x,  y, . . . 
for  vertices  and  X,  V, . . .  for  sets  of  vertices;  they  are  built  up  from  atomic  formulas 

Pa{x)  (for  a  E  A ),  Eb(x,y)  (for  b  6  B),  x  =  y,  X(y) 

by  means  of  the  connectives  -i,  V,  A,  — ►,  «->  and  the  quantifiers  3,V  which  may  be 
applied  to  either  kind  of  variable.  The  notation  ip(x\ , . . .  ,  xm,  X\ , . . .  ,  Xn)  indi¬ 
cates  that  in  the  formula  tp  at  most  the  variables  xj,...  , xm,X\,...  , Xn  occur 
free,  i.e.,  not  in  the  scope  of  a  quantifier.  If  G  =  (Vi  (P? )0€A,  {E£ )b£B)  is  a  graph, 
vi, . . .  ,  vm  G  V,  Vi, . . .  Vn  C  V,  the  satisfaction  relation 

(Gy  t>i, . .  .  ,  Vm ,  Vi,...Vn)  (p(x\y  .  .  .Xm,  X\y  . . .  ,  Xn ) 
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holds  if  (p  is  formed  for  the  signature  given  by  the  label  alphabets  A,  B  and  satisfied 
in  G  when  interpreting  xt-  by  t/,-,  X{  by  V*,  and  of  course  =  by  equality,  Pa  by  P®, 
and  Ei>  by  E^ .  The  superscripts  G  thus  distinguish  the  relations  in  interpretations 
from  relation  symbols  in  formulas;  they  will  be  omitted  (as  done  also  above)  when 
no  confusion  arises. 

Let  1C  be  a  class  of  (acyclic)  graphs.  Relative  to  /C,  a  sentence  <p  defines  the 
(graph)  language 

L(<p)  =  {GelC\G\='p}. 

A  language  L  C  K  is  called  definable  in  monadic  second-order  logic  (short:  MSO- 
definable)  if  some  sentence  <p  with  L  =  L((p)  exists. 

The  significance  of  monadic  second-order  logic  (MSO-logic)  for  automata  theory 
rests  on  the  following  classical  result  for  the  class  Words : 

Theorem  3.1.  (Buchi  [Bu60],  Elgot  [Elg61]) 

A  language  L  C  A+  is  recognizable  by  a  finite  automaton  iff  it  is  MSO-definable. 

Proof.  The  idea  for  the  step  from  automata  to  MSO-formulas  is  to  introduce, 
for  any  state  qi  of  the  given  automaton,  a  set  variable  Xi  for  the  set  of  those 
positions  in  a  word  where  state  qi  is  assumed  in  a  run.  One  formalizes  the  existence 
of  an  accepting  run  of  an  automaton  with  n  states  g0, . . .  ,  gn-i  over  a  word  w  by 
saying  that  there  are  sets  Xq,  . . .  ,  Xn-\  such  that  the  first  letter  position  belongs 
to  Xq  (assuming  <70  is  the  initial  state),  each  successor  step  is  compatible  with  the 
transition  relation  of  the  automaton,  and  from  the  state  on  the  last  position,  one 
reaches  by  the  last  letter  a  final  state.  Note  that  the  first  and  last  position  are 
definable  by  the  formulas  -»3 yE(y,x)  and  ->3 yE(x1y)1  respectively.  The  resulting 
formula  is  an  existential  monadic  second-order  formula,  short  an  EMSO-formula. 

The  converse  direction,  from  MSO-formulas  to  automata,  is  based  on  stan¬ 
dard  closure  properties  of  automaton  recognizable  languages,  namely  closure  under 
union  and  complement  (which  captures  propositional  logic)  and  projection  (which 
captures  the  existential  quantifier).  For  a  more  detailed  proof  see  e.g.  [Th96].  □ 

By  applying  the  second  and  the  first  part  of  the  proof  in  succession,  one  obtains 
that  an  MSO-formula  (over  word  graphs)  can  be  rewritten  as  an  EMSO-formula. 

The  basis  of  the  proof  above  is  the  equivalence  between  nondeterministic  and 
deterministic  finite  automata:  Nondeterminism  serves  to  show  closure  of  recog¬ 
nizable  sets  under  projection,  determinism  shows  closure  under  complement.  The 
reduction  to  deterministic  automata  was  shown  also  for  finite  automata  over  trees 
(using  the  “frontier- to-root  mode”  in  tree  automata,  cf.[GS84]),  whence  an  ana¬ 
logue  of  the  theorem  above  holds  also  for  the  class  Trees,  including  the  reduction  of 
MSO-logic  to  EMSO-logic.  Without  treating  definitions  in  detail,  let  us  also  men¬ 
tion  that  over  Traces  a  similar  development  is  possible,  now  invoking  Zielonka’s 
construction  of  deterministic  asynchronous  automata  ([Zi87]). 

Let  us  introduce  further  subsystems  of  MSO-logic,  including  first-order  logic 
with  different  signatures. 

In  the  traditional  classification  of  second-order  formulas,  the  EMSO-formulas 
are  also  called  monadic  E^-formulas.  The  dual  formulas,  where  a  prefix  of  uni¬ 
versal  set  quantifiers  precedes  a  first-order  kernel,  are  called  monadic  n}-formulas. 
The  corresponding  properties  (defined  by  such  formulas)  are  called  monadic  E}- 
properties,  respectively  monadic  II \ -properties.  A  property  which  is  both  monadic- 
E}  and  monadic-Il{  is  called  a  monadic  A}-property.  In  short  we  speak  of  monEj-, 
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monll}-,  and  monA}-properties.  By  (monA {) words  we  denote  the  class  of  word 
properties  (or:  word  languages)  which  are  monA}-definable;  similarly  for  the  other 
definability  notions. 

As  an  example,  consider  a  monadic  £}-sentence  which  says  that  a  successful  run 
of  a  finite  automaton  over  a  word  exists  (see  the  proof  above).  For  a  deterministic 
finite  automaton  this  sentence  can  also  be  written  as  a  monadic  Il}-sentence,  namely 
as  saying:  “All  state  sequences  which  start  in  the  initial  state  and  which  for  any  two 
succeeding  positions  are  compatible  with  the  transition  relation,  have  a  state  on  the 
last  letter  position  from  which  (by  the  last  letter)  a  final  state  is  reached.”  Since 
finite  automata  on  words  can  be  made  deterministic,  we  thus  have  the  following 
equalities: 

Proposition  3.2. 

(monA})  Words  =  (monE})  words  =  (monll} )  words  =  MSO^r^. 

The  same  is  true  over  Trees. 

First-order  logic,  short  FO-logic  (over  acyclic  graphs)  is  obtained  from  MSO- 
logic  as  above  by  dropping  set  quantifications.  Typical  quantifications  in  this  logic 
are  of  the  form  3y(Et>(x,  y)  Ay?(t/))  and  "iy{Es{x,  y)  y?(y)),  which  express  “there  is 
a  6-successor  of  x  satisfying  y?” ,  respectively  “all  6-successors  of  x  satisfy  y?” .  Thus 
FO-logic  includes  standard  process  logics,  such  as  the  finitary  version  of  “Hennessy- 
Milner-logic”  (cf.  [Mil90]). 

It  is  well-known  that  in  first-order  logic  the  transitive  closure  of  a  given  relation 
is  (in  general)  not  definable:  In  particular,  in  acyclic  graphs  the  associated  partial 
order  is  not  definable.  (A  proof  will  be  given  in  the  next  section.)  Thus  we  obtain 
a  stronger  system  of  “first-order  logic  with  <”  when  to  FO-logic  as  above  a  symbol 
<  for  the  reflexive  transitive  closure  of  the  edge  relation  E  is  added.  We  denote 
this  system  by  FO[<]-logic.  Typically,  it  allows  to  express  properties  of  linear  or 
partial  orders  which  are  formalizable  in  systems  of  propositional  temporal  logic. 
Over  grids,  we  obtain  an  expressively  equivalent  variant  of  FO[<]-logic  when  for 
the  two  edge  relations  E\  and  E2  the  respective  reflexive  transitive  closures  <1  and 
<2  are  introduced  instead  of  <.  Note  that  we  have  x  <  y  iff  x  <1  z  and  z  <2  y  for 
some  2.  Conversely,  each  relation  <t  is  first-order  definable  in  terms  of  the  relation 
E{  and  <:  We  have  x  <*  y  iff  x  <  y  and  (in  case  x  and  y  are  distinct)  any  z  with 
x  <  z  <  y  is  E{ -successor  of  some  z'  with  x  <  z'  <  y. 

For  a  class  K,  of  acyclic  graphs,  any  of  the  above  notions  of  definability  induces 
a  corresponding  class  of  definable  graph  sets.  We  denote  this  class  by  the  logical 
system  with  an  index  for  the  class  1C,  in  the  form  FO*;,  FO[<]/c,  (monE})*;  (= 
EMSOa:),  etc. 

The  following  statement  is  trivial. 

Proposition  3.3.  For  any  class  1C  of  acyclic  graphs ,  we  have 
FOk  C  (monA})*;  C  (monS})^  C  MSO*. 

Over  Words  and  Trees ,  FO[<]-logiccan  be  placed  between  FO-logic  and  EMSO- 
logic:  One  notes  that  x  <  y  is  defined  by  the  MSO-formula 

VX(X(x)  A  VzVz'((X(z)  A  E(z,  z'))  -+  X(zf))  ->  *(</)), 

whence  the  claim  follows  by  the  expressive  equivalence  of  EMSO-logic  and  MSO- 
logic  over  Words,  respectively  Trees.  In  fact,  we  have  a  sharper  result,  establishing 
the  following  proper  inclusions  (indicated  by  “C”)  and  equalities: 
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Proposition  3.4. 

FOvVords  Cl  F0[^]  Words  C  (mon^A^ )  Words  —  (monE i )  Words  =  MSOvVorcls- 

Proof.  (Hint.)  The  language  a*ba*ca*  is  an  example  of  a  word  set  which  is 
definable  in  FO[<]-logic  by  the  sentence 

3x3y(Pb(x)  A  x  <  y  A  Pc{y)  A  =  xV  z  =  y)  Pa{z))) 

but  not  in  FO-logic  (see  next  section).  The  next  proper  inclusion  is  exemplified  by 
the  set  of  words  of  even  length.  It  is  definable  by  a  monadic  Ej-sentence  requiring 
a  set  X  of  positions  which  contains  the  first  letter  position,  then  every  second 
position  (i.e.  satisfying  sizizl{E{z,  zf)  {X(z)  -i X{zf))),  and  does  not  contain 
the  last  position.  An  equivalent  nj;-sentence  says  that  all  sets  which  contain  the 
first  position  and  then  every  second  position  do  not  contain  the  last  position.  An 
application  of  the  Ehrenfeucht-Fraisse  method  shows  that  the  word  property  of 
having  even  length  is  not  expressible  in  first-order  logic  with  linear  ordering  (cf. 
e.g.  [EF95],  [Th96]).  The  last  two  equalities  are  clear  from  Proposition  3.2.  □ 

In  Section  6  we  shall  see  that  over  Grids,  FO[<]-logic  and  EMSO-logic  (or 
(monEi)-logic)  are  incompatible  in  expressive  power,  and  that  the  last  two  equali¬ 
ties  of  Proposition  3.4  turn  into  strict  inclusions. 

4.  Hanf’s  Theorem 

In  [Hnf65],  Hanf  showed  that  in  the  first-order  language  of  graphs  only  “local 
properties”  can  be  specified.  A  property  is  local  if  it  depends  only  on  the  occur¬ 
rence  (or  non-occurrence)  of  certain  local  neighbourhoods  around  vertices.  More 
precisely,  call  (for  r  >  0)  r-sphere  around  vertex  v  in  the  graph  G  the  induced 
subgraph  over  those  vertices  in  G  which  have  distance  <  r  to  v,  and  with  v  as 
designated  center.  (The  distance  of  u  to  v  is  <  r  if  there  is  a  path  voVi  . .  .Vk  with 
k  <  r,  vo  =  v,  vk  =  u,  and  (vv,Vi+i)  G  E  or  (t/i+i,v,-)  G  E  for  i  <  k.)  Clearly, 
if  the  graphs  under  consideration  are  of  bounded  degree  (and  of  a  fixed  signature 
regarding  the  labellings),  there  are  only  finitely  many  possible  isomorphism  types 
of  r- spheres. 

It  is  easy  to  write  down  a  sentence  <pT,>n  which  says  that  there  are  at  least  n 
different  occurrences  of  spheres  of  a  given  isomorphism  type  r.  Using  conjunctions 
of  such  sentences  and  negations  of  such  sentences,  one  can  specify  for  finitely  many 
types  n, . . .  ,rm  that  the  occurrence  number  of  tv  is  <  n,-,  or  <  n,*,  or  =  rc,-.  A 
graph  language  L  defined  by  a  disjunction  of  such  conditions  (or  equivalently:  by 
a  boolean  combination  of  sentences  <pT)>n)  is  called  locally  threshold  testable . 

Equivalently,  L  is  representable  in  terms  of  a  certain  equivalence  relation  ~r,t 
between  graphs.  Define  G  ~rtt  Gf  to  hold  if  for  all  types  r  of  r- spheres,  the 
occurrence  numbers  of  r  in  G  and  Gf  are  both  >  t  or  else  coincide.  Over  graphs 
of  bounded  degree,  is  an  equivalence  relation  of  finite  index.  An  easy  exercise 
shows  that  a  set  L  is  locally  threshold  testable  iff  L  is  a  union  of  ~r>t-classes  for 
some  radius  r  and  threshold  number  t . 

The  main  result  in  the  first-order  model  theory  of  graphs  says  that  the  above 
mentioned  conditions  on  occurrence  numbers  already  exhaust  the  expressive  power 
of  first-order  logic: 

Theorem  4.1.  (essentially  Hanf  [Hnf65]) 

A  first-order  definable  set  of  graphs  (of  bounded  degree)  is  locally  threshold  testable. 
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In  particular ,  a  first-order  sentence  is  equivalent  to  a  boolean  combination  of  sen¬ 
tences  of  the  form  uthere  are  >  n  occurrences  of  r -spheres  of  type  r”. 

The  proof  rests  on  an  application  of  the  Ehrenfeucht-Fraisse-game.  We  refer 
the  reader  to  [EF95],  [FSV95],  or  [Th96]  for  details. 

Let  us  sketch  three  applications.  First,  we  verify  that  the  language  L  = 
a*ba*ca*  is  not  in  FOword5.  Otherwise,  we  would  obtain  a  contradiction:  From 
an  assumed  FO-sentence  defining  L  we  would  obtain  r  and  t  such  that  two  words 
(word  models)  which  are  ~rj*-equivalent  are  both  in  L  or  both  not  in  L.  But  it  is 
easily  seen  that  for  sufficiently  large  n  the  words  anbancan(£  L)  and  ancanban(£  L) 
have  the  the  same  occurrence  numbers  of  r- spheres  counted  up  to  threshold  t  and 
thus  are  ~r?t-equivalent. 

In  a  similar  way,  it  is  shown  in  the  domain  Grids  that  the  set  of  all  square  grids 
(of  size  n  x  n  for  n  >  1,  whose  vertices  are  all  labelled  with  a)  is  not  first-order 
definable. 

Finally,  as  a  preparation  to  the  next  section,  we  note  the  following  consequence 
of  Hanf ’s  Theorem: 

Proposition  4.2.  The  class  EMSO*:  coincides  with  the  class  of  projections  of 
locally  threshold  testable  languages  L  C  1C. 

Proof.  As  a  preparation,  consider  a  graph  G  with  vertex  labels  in  A.  An 
expansion  (G,V l,  . . .  ,  Vm)  by  designated  vertex  sets  Vi,  which  allows  to  interpret 
a  formula  <p(X\ , . . .  ,  Xm),  can  be  represented  as  a  graph  H  with  vertex  labels  in 
A  x  {0,  l}m:  The  2-th  additional  component  has  value  1  for  vertex  v  iff  v  G  V{. 

Now  a  graph  G  satisfies  a  sentence  3X\  . . .  3Xm<p(X\ ,...  Xm)  (with  first-order 
formula  <p)  iff  some  graph  H,  which  arises  from  G  by  expanding  the  vertex  labels 
from  A  to  A  x  {0,  l}m,  satisfies  (p(X i,...  ,Xm).  But  this  is  equivalent  to  the 
existence  of  a  graph  H  in  L(<p)  (which  by  Hanf’s  Theorem  is  a  locally  threshold 
testable  language)  such  that  h(H)  =  G  for  the  projection  h  :  Ax  { 0,  l}m  A.  □ 

Hanf’s  Theorem  connects  first-order  logic  to  local  properties  and  is  thus  a  good 
starting  point  for  a  logically  motivated  automata  theory  over  graphs. 

5.  Finite-State  Acceptors  and  Special  Forms 

We  introduce  graph  acceptors  which  capture  projections  of  locally  threshold 
testable  sets: 

A  graph  acceptor  over  the  alphabets  A,  B  has  the  form  A  =  ( Q ,  A ,  B ,  A,  Occ ) 
where 

•  Q  is  a  finite  set  (of  “states”), 

•  A  is,  for  some  r  >  0,  a  finite  set  of  r- spheres  with  vertex  labels  in  A  x  Q 
and  edge  labels  in  B, 

•  Occ  is  a  boolean  combination  of  conditions  “there  are  >  n  occurrences  of 
spheres  of  type  r”  (where  r  is  an  r- sphere  type  over  the  label  alphabets 
A  x  Q  and  B ). 

We  call  A  the  set  of  transitions  and  Occ  the  occurrence  constraint. 

The  graph  acceptor  A  accepts  the  graph  G  if  it  can  be  “tiled  by  transitions” 
such  that  a  consistent  assignment  of  states  to  vertices  (a  “run”)  is  defined  and 
such  that  the  occurrence  constraint  is  satisfied.  Formally,  there  should  be  a  run 
p  :  V  — y  Q  such  that  each  r- sphere  of  the  expanded  graph  Gp  with  vertex  labels 
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in  A  x  Q  matches  a  transition  from  A,  and  the  occurrences  of  these  spheres  are 
compatible  with  the  constraint  Occ.  We  call  this  covering  of  G  an  “accepting  tiling” 
of  G  and  sometimes  speak  of  transitions  as  “tiles”  and  graph  acceptors  as  “tiling 
systems”  (cf.  [Th91]). 

The  graph  language  recognized  by  A  (relative  to  the  graph  class  K)  is 
Ljc{A)  =  {G  £  JC  |  A  accepts  G}. 

We  say  that  L  C  1C  is  recognizable  iff  L  —  Ljc(A)  for  some  graph  acceptor  A . 

By  Proposition  4.2,  graph  acceptors  characterize  existential  monadic  second- 
order  logic: 

PROPOSITION  5.1.  For  any  class  1C  of  graphs  of  bounded  degree ,  a  language 
L  C  K  is  recognizable  iff  L  £  EMSO;c* 

Similarly,  a  language  L  is  recognizable  by  a  graph  acceptor  with  only  one  state 
iff  L  is  first-order  definable. 

Usual  finite  automata  over  words  or  trees  are  simulated  by  special  graph  accep¬ 
tors,  in  which  only  1-spheres  are  used  as  transitions  and  the  occurrence  constraints 
are  cancelled.  The  use  of  initial  and  final  states  in  the  classical  model  is  captured 
by  the  use  of  1-spheres  whose  designated  center  has  no  predecessor,  respectively  no 
successor;  such  transitions  can  only  be  used  at  the  beginning,  respectively  at  the 
end  of  a  word. 

In  comparison  with  classical  automata,  two  features  of  graph  automata  seem 
complicated:  the  use  of  r- spheres  for  r  >  1,  and  the  use  of  occurrence  constraints. 
We  shall  see  that  both  features  can  be  eliminated  only  with  extra  restrictions  on 
the  input  graphs. 

In  order  to  see  that  over  acyclic  graphs  in  general  the  use  of  r- spheres  in  transi¬ 
tions  can  not  be  eliminated  by  resorting  to  1-spheres  only,  we  consider  the  following 
example,  suggested  by  S.  Seibert. 

Proposition  5.2.  Let  Ln  be  the  set  of  “n- supergrids” ,  which  have  vertex  label 
“a”  throughout  and  are  obtained  from  standard  grids  by  substituting  for  any  edge 
an  edge  sequence  of  length  n  (called  “superedge”).  Ln  is  recognizable  (in  the  class 
of  partial  orders)  by  a  graph  acceptor  with  2 n-sphere  transitions ,  but  not  by  graph 
acceptors  with  1-sphere  transitions . 

Proof.  It  is  easy  to  verify  recognizability  of  Ln  by  a  graph  acceptor  with  2n- 
sphere  transitions.  For  contradiction,  consider  a  graph  acceptor  A  which  recognizes 
Ln  (say  for  n  >  4)  with  1-sphere  transitions.  In  an  accepting  run  of  a  large  enough 
n-supergrid,  there  will  be  two  occurrences  of  the  same  1-sphere  transition  at  corre¬ 
sponding  positions  on  two  superedges,  not  touching  the  ends  of  the  superedges  and 
unrelated  in  the  partial  order  of  the  supergrid.  (One  may  choose  two  occurrences  of 
the  same  1-sphere  transition  at  the  central  positions  of  two  superedges  in  the  same 
row  or  in  the  same  column  of  a  large  enough  n-supergrid.)  Obtain  a  new  graph  by 
exchanging  the  targets  of  the  outgoing  edges  in  the  two  1-spheres  covered  by  these 
transitions.  The  new  graph  is  still  acyclic,  accepted  by  A ,  but  not  in  Ln.  □ 

A  similar  idea  appears  in  Example  3.2  of  [Th91];  there  it  is  shown  that  our 
graph  acceptors  are  properly  more  expressive  than  the  dag  automata  of  Kamimura 
and  Slutzki  [KS81]. 

In  contrast  to  the  proposition  above,  one  verifies  that  over  the  classes  Words , 
Trees,  Traces ,  and  Grids ,  the  use  of  1-spheres  is  sufficient.  (The  reduction  from 
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r-sphere  transitions  to  1-sphere  transitions  involves  a  blow-up  in  the  number  of 
states.)  Moreover,  in  the  domain  Grids  there  is  a  variant  of  1-spheres  which  may 
seem  more  natural:  In  the  approach  developed  in  [GRST96]  over  Grids ,  the  tran¬ 
sitions  are  just  (2  x  2)-squares  of  four  vertices  and  edges.  In  this  model,  where 
transitions  have  no  designated  center,  the  corners  and  borders  of  grids  are  no  more 
detectable  (i.e.,  tilable  by  special  transitions  only),  and  thus  grids  are  presented 
with  extra  rows  and  columns  of  border  markers  #,  also  to  be  covered  by  transi¬ 
tions. 

A  precise  description  of  the  class  of  acyclic  graphs  where  in  graph  acceptors 
the  use  of  1-sphere  transitions  suffices  is  not  known. 

Let  us  turn  to  the  occurrence  constraints.  In  general  they  can  also  not  be  elim¬ 
inated:  We  consider  the  set  of  acyclic  graphs  Gn  made  up  of  vertices  uX) . . .  ,  un 
and  vX)...  ,vn  as  follows:  From  U{  there  are  two  edges,  one  to  i/,-  and  one  to 
v(i+i)  mod  n-  ®ne  may  imagine  the  u,-  and  the  Vi  arranged  in  two  circles  (modulo 
n),  with  two  pointers  from  each  vertex  of  the  first  circle  to  the  second  circle.  Now 
consider  the  graph  language  L  consisting  of  such  graphs  where  at  least  one  iq  is 
labelled  a  and  the  remaining  vertices  (not  labelled  a)  are  labelled  6.  It  is  clear  that 
by  an  occurrence  constraint  the  existence  of  a  vertex  with  label  a  can  be  guaran¬ 
teed.  Now,  for  a  contradiction  suppose  that  L  is  recognizable  without  occurrence 
constraints.  Consider  the  graphs  Gn  over  ux, . . .  ,  un  and  vx, . . .  ,  vn  with  precisely 
one  label  a,  say  at  ux.  For  sufficiently  large  n,  there  will  be  an  accepting  tiling 
where  a  transition  is  repeated,  say  with  centers  at  and  uj  and  such  that  ux  is 
not  covered  by  these  two  copies  of  the  transition.  Then  the  graph  with  vertices 
Ui+ i,  •  * .  ,  «j,  vx*+1, . .  .vj  (built  up  modulo  j  -  i),  which  has  no  label  a,  admits  also 
an  accepting  tiling,  a  contradiction. 

In  some  situations,  however,  the  occurrence  constraints  can  be  eliminated  (at 
the  cost  of  more  states  in  graph  acceptors).  In  particular,  this  applies  to  the  classes 
Words ,  Trees,  and  Grids .  The  idea  is  to  implement  a  threshold  counting  procedure 
within  the  transitions,  using  the  partial  order  to  avoid  loops  in  the  counting  process. 
It  is  essential  that  the  overall  counting  result  can  be  collected  at  some  special  vertex. 
This  motivates  the  following  claim: 

Proposition  5.3.  Let  K  be  a  class  of  acyclic  graphs  which  have  indexed  out- 
edges  and  a  co-root  (and  hence  are  connected).  Then  a  language  L  C.  1C  is  recogniz¬ 
able  iff  it  is  recognizable  by  a  graph  acceptor  without  occurrence  constraints.  The 
same  holds  if  the  graphs  in  fC  have  indexed  in-edges  and  a  root. 

Proof.  Consider  a  graph  acceptor  with  state  set  Q,  transitions  n, . . .  ,  r*  (say 
of  radius  r),  and  occurrence  constraint  Occ  in  which  t  is  a  threshold  such  that 
occurrence  numbers  >  t  are  not  distinguished  in  Occ.  We  construct  a  new  graph 
acceptor  whose  states  are  vectors  (q,nXl...  ,nk)  with  n,*  <  t  for  i  =  1, . . .  ,  k. 
At  vertex  v  this  vector  indicates  that  state  q  E  Q  is  assumed  and  “up  to  now” 
the  transition  r,-  has  occurred  n,-  times.  These  occurrence  numbers  are  updated 
following  the  paths  of  the  partial  order  of  the  input  graph.  The  indices  of  the 
out-edges  serve  to  avoid  double-counting:  The  accumulated  occurrence  numbers 
are  transferred  only  along  the  outgoing  edges  with  index  1.  Thus,  for  an  r- sphere 
of  type  Ti  whose  center  has  no  incoming  edges,  only  the  vector  (ni,...  ,nk)  with 
ni  =  1  and  nj  =  0  for  j  ^  i  is  allowed.  Any  given  r-sphere,  say  of  type  r,-,  which 
has  incoming  edges,  is  (in  its  center)  supplied  with  a  vector  (nx, . . .  ,  nk)  where  each 
nj  is  the  sum  of  the  j- th  components  of  the  sources  of  incoming  edges  which  carry 
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index  1,  and  where  furthermore  1  is  added  to  n,*  (to  capture  that  the  present  type 
is  77).  Finally,  r- sphere  transitions  for  the  co-root  (the  vertex  without  outgoing 
edges)  are  allowed  only  for  the  case  that  the  center  vertex  is  labelled  with  some 
vector  (ni,  1 . .  ,  rik)  which  satisfies  Occ. 

The  proof  for  the  case  of  indexed  in-edges  and  the  existence  of  a  root  is  analo¬ 
gous.  □ 

It  is  clear  that  words,  trees,  and  grids  are  subsumed  by  the  preceding  propo¬ 
sition.  Formally,  in  the  case  of  grids  one  has  to  modify  the  edge  labels  in  order 
to  have  indexed  out-edges:  The  vertices  of  the  last  column  of  a  grid,  which  have 
no  (horizontal)  Ei-successors  in  the  original  convention,  should  now  have  vertical 
out-edges  in  E\  (instead  of  E2 ).  The  elimination  of  occurrence  constraints  over 
grids  is  treated  in  detail  in  [GRST96]. 

Finally,  we  turn  to  a  special  form  of  acceptor  on  partial  orders  which  represents 
a  proper  restriction:  deterministic  acceptors .  Partial  orders  are  a  useful  assump¬ 
tion  for  introducing  deterministic  acceptors;  there  should  be  a  uniqueness  in  the 
construction  of  runs  when  proceeding  from  smaller  to  greater  vertices  in  the  partial 
order.  There  seems  to  be  no  canonical  definition  of  deterministic  graph  acceptors; 
and  even  over  simple  acyclic  graphs  like  the  rectangular  grids  there  are  several  pos¬ 
sibilities.  We  suggest  here  a  “determinism  by  states”  (rather  than  “determinism 
by  transitions”).  We  call  an  acceptor  (say  with  r- sphere  transitions)  over  partial 
orders  deterministic  if  for  any  r- sphere  around  a  vertex  v  and  any  state  assignment 
to  the  vertices  u  <  v  in  this  r- sphere,  the  assignment  of  a  state  to  v  (by  the  available 
transitions)  is  unique.  (Note  that  a  certain  “lookahead”  is  built  into  this  definition 
because  a  sphere  has  to  match  a  whole  neighbourhood  of  the  input  graph.)  So, 
the  state  assignment  is  unique  per  se  for  vertices  which  have  no  predecessors  in  the 
partial  order.  This  definition  is  compatible  with  determinism  over  words  and  trees 
(using  frontier-to-root  tree  automata,  i.e.,  with  the  reversed  partial  order  in  trees). 
For  a  class  /C  of  acyclic  graphs,  denote  by  Det/c  the  class  of  languages  L  C  K  which 
are  recognized  by  deterministic  graph  acceptors. 

An  example  of  a  language  in  Det  Grids  is  the  set  of  square  grids  (trivially  labelled 
by  a  throughout).  The  assignment  of  states  can  be  arranged  such  that  a  special 
state  is  associated  to  the  diagonal  starting  from  the  unique  vertex  without  incoming 
edges  (which  we  assume  to  be  on  the  top  left  corner) .  The  square  property  is  verified 
when  in  transitions  for  other  border  positions  this  special  state  is  allowed  only  for 
the  vertex  without  any  outgoing  edges  (at  the  bottom  right  corner). 

Let  us  verify  that  determinism  is  a  proper  restriction.  A  well-known  example  is 
provided  by  the  domain  Trees  when  scanned  in  root-to-frontier  mode  (cf.  [GS84]). 
But  also  over  partial  orders  which  have  a  co-root  (where  information  of  a  run  can 
be  gathered  in  a  single  vertex)  this  phenomenon  occurs: 

PROPOSITION  5.4.  There  is  a  grid  language  which  is  recognizable  by  a  graph 
acceptor  but  not  by  a  deterministic  graph  acceptor. 

Proof.  A  suitable  example  is  provided  in  [PST94]:  Consider  the  set  L  of 
square  grids  which  have  label  b  everywhere  except  for  two  vertices  labelled  a  on  the 
right  border  and  bottom  border,  in  the  same  distance  S  to  the  right-bottom  corner. 
(Call  this  S  the  “a-distance”.)  An  appropriate  nondeterministic  graph  acceptor 
guesses  a  point  on  the  diagonal  (from  the  top  left  to  the  bottom  right  corner),  and 
from  this  point  sends  two  “signals”  (in  the  form  of  special  states),  one  horizontally 
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to  the  right,  one  vertically  to  the  bottom.  If  at  the  two  border  points  hit  in  this 
way  letter  a  occurs,  this  information  can  be  transmitted  to  the  bottom  right  corner 
(where  the  transitions  are  defined  as  to  check  this).  The  test  that  otherwise  letter 
b  occurs  is  easily  implemented. 

Now  suppose  that  a  deterministic  graph  acceptor  recognizing  this  grid  lan¬ 
guage  L  exists.  Invoking  the  construction  of  Proposition  5.3,  we  can  assume  that 
occurrence  constraints  are  eliminated  (note  that  the  construction  transforms  deter¬ 
ministic  graph  acceptors  again  into  deterministic  ones).  Suppose  the  acceptor  has 
r-sphere  transitions.  Then  the  states  of  accepting  runs  on  two  grids  from  L  of  the 
same  size  are  identical  except  for  the  last  r  rows  and  last  r  columns.  The  (r+  l)-st 
last  rows  thus  coincide  except  for  the  last  r  columns.  Because  there  are  only  finitely 
many  assignments  of  transitions  to  the  last  r  positions  of  a  row,  there  exist  (for 
sufficiently  large  size  of  input  squares)  two  squares  GX}G2  G  L  of  same  size  and 
with  two  different  a-distances  such  that  in  the  corresponding  accepting  runs  also 
the  last  r  transitions  on  the  (r  4-  l)-st  last  row  coincide  in  G\  and  G2.  Then  the 
last  r  rows  from  the  accepting  tiling  of  G\  can  be  exchanged  with  the  last  r  rows 
of  the  accepting  tiling  of  GV  Hence  a  grid  outside  the  language  L  is  accepted,  a 
contradiction.  □ 

For  deterministic  acceptors  over  Grids ,  the  reduction  of  r- spheres  to  1-spheres  is 
no  more  possible.  A  simple  example  is  the  set  of  computations  of  a  Turing  machine. 
Such  computations  are  represented  in  a  space-time  diagram  and  hence  in  grid  form. 
To  check  a  labelled  grid  for  being  a  computation  of  a  given  Turing  machine,  one 
can  use  a  deterministic  (single-state)  acceptor  using  2-sphere  transitions,  but  not  a 
deterministic  acceptor  with  1-sphere  transitions. 

Determinism  corresponds  to  a  restriction  of  EMSO-logic.  As  in  the  case  of 
words  (see  Proposition  3.2),  monadic  Ej -definitions  can  be  put  into  Il{-form: 

Proposition  5.5.  If  a  language  L  C  1C  of  acyclic  graphs  is  recognizable  deter¬ 
ministically,  then  L  £  (monAj)^. 

6.  Some  Results  on  Expressiveness  and  Decidability 

In  this  section  we  come  back  to  the  question  raised  in  the  introduction:  Over 
which  classes  of  acyclic  graphs  (or  generated  partial  orders)  are  the  recognizable 
sets  closed  under  complement  (i.e.,  EMSO-logic  is  as  expressive  as  MSO-logic),  and 
when  is  the  nonemptiness  problem  decidable?  Whereas  both  questions  are  solved 
positively  in  the  domains  Words ,  Trees ,  Traces ,  let  us  see  that  this  fails  over  Grids. 
In  the  statement  below  we  also  include  the  relation  to  deterministic  recognizability 
and  A}-properties.  At  the  same  time,  we  settle  the  relation  between  EMSO-logic 
and  FO[<]-logic  over  grids. 

Theorem  6.1.  (a)  The  following  inclusion  chain  is  proper: 

Det  Grids  C  (monAj)  Grids  C  (monEj)  Grids  C  MSO  Grids 

(b)  The  classes  FO[<]Grid5  and  (monEj)  Grids  ore  incompatible  with  respect  to 
inclusion. 

(c)  The  nonemptiness  problem  of  graph  acceptors  over  grids  is  undecidable. 

Proof,  (a)  The  inclusions  as  such  are  clear  from  the  preceding  remarks.  To  verify 
that  the  first  inclusion  is  strict,  take  the  example  set  L  of  Proposition  5.4.  To 
show  that  L  is  in  (monAj) Grids,  it  remains  to  supply  a  (monnj)-definition.  Such 
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a  sentence  can  be  constructed  starting  from  the  following  condition:  “For  each  set 
X  of  vertices  consisting  of  (1)  a  prefix  of  the  diagonal  up  to  some  vertex  u,  (2)  the 
vertices  to  the  right  of  u  on  the  same  row,  ending  with  v,  and  (3)  the  vertices  below 
u  on  the  same  column,  ending  with  w ,  we  have:  if  v  is  labelled  with  a,  so  is  w” 

For  the  strictness  of  the  second  inclusion,  we  identify  a  grid  with  its  sequence 
of  columns,  regarding  as  column  the  associated  sequence  of  vertex  labels.  Following 
[GRST96],  we  consider  the  set  N  of  grids  of  the  form  GH  where  G  and  H  are 
distinct  square  grids  of  the  same  size  over  the  vertex  label  alphabet  {a,  6}.  This  set 
is  monadic  E},  because  the  existence  of  a  pair  (x,y)  of  vertices  (at  corresponding 
positions  in  G  and  H)  with  distinct  labels  can  be  formulated  using  existential  set 
quantifiers.  (Namely,  there  should  be  a  set  X\  containing  all  points  on  the  same 
horizontal  as  x1  and  furthermore  a  set  X<i  which  occupies  the  diagonal,  which  starts 
at  the  topmost  vertex  above  x,  downward  to  the  right.  Now  y  is  the  unique  point 
above  the  end  of  this  diagonal  which  belongs  to  X\.)  In  order  to  show  that  N  is  not 
monadic  II},  it  suffices  to  show  that  the  set  of  grids  GG,  consisting  of  two  identical 
square  grids,  is  not  monadic  E}.  Here  we  use  the  characterization  of  monadic 
E},  i.e.  EMSO-logic,  by  graph  acceptors  with  1-sphere  transitions  and  without 
occurrence  constraints.  Such  a  graph  acceptor  can  transfer  the  information  from 
the  left  square  grid  to  the  right  square  grid  only  via  the  two  stripes  of  transitions 
along  the  border  between  the  two  half  grids  (of  square  form) .  For  the  given  graph 
acceptor,  the  number  of  such  stripes  is  k(r (for  some  fixed  k  and  r)  in  the  length 
n  of  the  sides  of  squares.  However  the  number  of  possible  squares  grows  by  the  rate 
2n2.  Thus,  for  sufficiently  large  n  we  find  distinct  squares  G  and  H  of  side  length 
n  such  that  on  accepting  tilings  over  GG  and  HH  the  stripes  of  1-spheres  right 
and  left  to  the  central  border  are  identical.  This  implies  that  GH  and  HG  are  also 
accepted,  a  contradiction. 

The  set  of  grids  GG  where  G  is  square  shows  that  also  the  last  inclusion  of  the 
claim  is  proper. 

(b)  The  set  of  grids  consisting  of  a  single  column  of  even  length  is  (monEj)-definable 

but  not  FO[<]-definable  (see  Proposition  3.4).  In  order  to  exhibit  a  grid  language 
which  is  FO[<]-definable  but  not  (monEj)-definable  (i.e.,  not  recognizable),  con¬ 
sider  a  variant  of  the  set  N  above:  the  set  M  of  grids  of  the  form  GCH  where  C  is 
a  column  labelled  by  a  special  letter  c  and  where  the  sets  of  different  column  words 
occurring  in  G  and  H  (over  the  vertex  label  alphabet  {a,b})  coincide.  This  set  M 
is  definable  in  FO[<]-logic,  making  use  of  the  condition  that  for  all  positions  x  in 
the  first  row  before  the  vertex  labelled  c,  there  is  a  position  y  in  the  first  row  after 
the  vertex  labelled  c  such  that  the  columns  associated  to  x  and  y  coincide;  similarly 
for  each  such  y  after  the  c-labelled  vertex  there  is  a  corresponding  x  before  the  c- 
labelled  vertex.  The  coincidence  of  the  columns  below  x  and  y  is  easily  formalizable 
with  the  relations  <i  and  <2,  which  in  turn  are  definable  in  terms  of  <  (as  shown 
in  Section  3).  The  proof  that  M  is  not  (monE})-definable  is  analogous  to  part  (a) 
above,  using  the  fact  that  for  any  constants  k  and  r,  the  number  of  distinct  sets  of 
columns  of  length  n  exceeds  for  sufficiently  large  71. 

(c)  We  show  that  for  any  Turing  machine  M  we  can  define  a  graph  acceptor  Am 
over  an  appropriate  label  alphabet  which  accepts  some  grid  iff  M  halts  when  started 
on  the  empty  tape.  The  idea  is  to  let  A  accept  just  those  grids  which  code  a  halting 
computation  of  M  on  the  empty  tape.  Such  a  halting  computation  is  finite  in  space 
and  time  (the  two  dimensions  of  the  grid) .  Thus,  the  first  line  of  such  a  grid  is  a 
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sequence  of  blanks,  with  one  pair  (s0,  blank)  (where  s0  is  the  initial  state  of  M). 
The  correct  succession  of  Turing  machine  configurations  can  be  checked  using  2- 
sphere  transitions.  That  the  grid  is  suffiently  large  to  include  all  work  cells  of  the 
computation  is  guaranteed  by  excluding  transitions  for  border  vertices  which  code 
work  cells.  Finally  the  last  line  should  include  a  final  state  of  M.  □ 

It  should  be  noted  that  over  Words,  Trees,  and  Traces  all  classes  of  part  (a)  of 
the  preceding  theorem  coincide  (cf.  Proposition  3.2). 

An  interesting  problem  is  to  find  classes  of  partial  orders  beyond  the  do¬ 
mains  Words ,  Trees ,  and  Traces ,  over  which  EMSO-logic  is  closed  under  comple¬ 
ment  and/or  where  the  nonemptiness  problem  for  recognizable  sets  (satisfiability  of 
EMSO-logic)  is  decidable.  We  discuss  three  classes:  the  partial  orders  with  bounded 
antichains,  the  mirror  tree  concatenations,  and  the  acyclic  graphs  of  bounded  tree- 
width. 

Partial  orders  with  bounded  antichains  constitute  a  generalization  of  trace 
graphs,  in  which  the  partial  order  is  no  more  tied  to  a  dependence  structure  of 
the  vertex  label  alphabet.  By  a  small  modification  of  parts  (a)  and  (c)  of  the 
preceding  theorem,  one  verifies  the  following: 

Proposition  6.2.  Over  acyclic  graphs  with  bounded  antichains ,  EMSO-logic 
is  not  closed  under  complement,  and  the  satisfiability  problem  for  EM  SO- sentences 
(and  hence  the  nonemptiness  problem  for  finite-state  graph  acceptors )  is  undecid- 
able. 

Proof.  We  modify  the  grids  of  the  preceding  theorem  (following  an  idea  of 
I.  Schiering):  In  the  definition  of  the  first  successor  relation  (which  proceeds  hor¬ 
izontally  from  left  to  right),  add  an  extra  edge  from  the  last  vertex  of  each  row 
(excluding  the  last  two  rows)  to  the  first  vertex  of  the  second-next  row,  respec¬ 
tively.  The  resulting  grid  structure  generates  a  partial  order  with  antichains  of  at 
most  two  elements.  One  can  now  adapt  the  proofs  of  claims  (a)  and  (c)  above  for 
these  modified  grids.  □ 

For  the  class  MTreeC  if  mirror  tree  concatenations  we  do  not  know  whether  a 
complementation  result  of  EMSO-logic  holds.  However,  it  is  easy  to  see  that  the 
nonemptiness  problem  for  graph  acceptors  over  the  class  MTreeC  is  undecidable: 
We  use  the  undecidability  of  the  nonemptiness  problem  for  intersections  of  context- 
free  languages.  Given  two  context-free  grammars  G\,  G2,  one  can  construct  a  graph 
acceptor  which  accepts  a  pair  ( t ,  s)  of  mirror-concatenated  trees  iff  t  is  a  derivation 
tree  for  G*,  s  is  an  inverted  derivation  tree  for  G2,  and  the  common  sequence  of 
leaves  for  t  and  s  consists  of  terminal  symbols  only.  Such  a  pair  (t}  s)  exists  iff  G\ 
and  G2  generate  a  common  terminal  word. 

A  better  candidate  domain  for  generalizing  the  classical  closure  and  decidability 
results  of  automata  theory  seems  to  be  the  class  of  graphs  of  bounded  tree- width.  As 
shown  by  Courcelle  [Cou89],  the  satisfiability  of  MSO-sentences  over  BTWGraphs 
is  decidable.  However,  a  reduction  of  MSO-logic  to  EMSO-logic  (or  equivalently:  a 
complementation  theorem  for  EMSO-logic)  is  unknown.  In  a  restricted  case,  this 
reduction  is  possible  ([ST96]),  namely  where  a  tree  decomposition  exists  whose 
clusters  are  vertex  sets  which  are  connected  by  the  symmetric  closure  of  the  graph 
edge  relation. 
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7.  Conclusion 

In  this  paper,  some  suggestions  were  developed  towards  an  automata  theory 
over  partial  orders,  and  connections  to  various  logical  systems  were  established. 
We  studied  EMSO-logic  and  acceptors  over  several  classes  of  finite  partial  orders 
and  investigated  the  complementation  problem  and  the  nonemptiness  problem  for 
recognizable  sets. 

Some  open  questions  have  been  mentioned  already.  Let  us  list  some  further 
directions  which  are  unexplored. 

(1)  A  theory  of  recognizable  sets  of  infinite  partial  orders.  Over  which  classes  of 
infinite  partial  orders  is  it  possible  to  introduce  logically  meaningful  acceptance 
conditions,  and  what  are  these  conditions?  Over  which  classes  is  the  nonempti¬ 
ness  problem  decidable,  possibly  such  that  furthermore  nonempty  recognizable  sets 
contain  “regular”  partial  orders  (where  the  meaning  of  “regular”  is  also  open)? 

(2)  Complexity  bounds  for  transformation  algorithms  and  decision  procedures.  We 
did  not  discuss  the  complexity  issue,  e.g.  in  the  conversion  of  formulas  into  au¬ 
tomata  or  for  the  nonemptiness  test.  Note  that  already  in  the  domain  Traces ,  the 
available  algorithms  are  of  such  a  high  complexity  that  a  practical  application  seems 
hard. 

(3)  Development  of  other  descriptive  formalisms.  Instead  of  systems  of  classical 
logic,  more  restrictive  systems  should  be  studied,  whose  expressive  power  might  suf¬ 
fice  for  interesting  applications  but  with  acceptable  complexity  bounds  e.g.  for  the 
satisfiability  problem.  These  can  be  versions  of  regular  expressions  (cf.  [BDW95]), 
or  restrictions  of  EMSO-logic,  or  of  FO[<]-logic,  over  partial  orders. 

(4)  Comparison  with  the  algebraic  approach  to  recognizability.  Here  we  refer  to 
Courcelle’s  theory  of  recognizability,  which  is  based  on  many-sorted  and  locally 
finite  graph  algebras  (cf.  [Cou90]).  The  class  of  recognizable  graph  sets  in  this 
setting  is  closed  under  boolean  operations,  and  all  MSO-definable  sets  turn  out  to 
be  recognizable.  Over  Grids ,  recognizability  in  the  algebraic  sense  is  even  strictly 
stronger  than  MSO-definability.  It  is  open  whether,  for  instance,  the  two  approaches 
of  recognizability  (via  tilings  and  via  locally  finite  algebras)  coincide  for  exactly 
those  classes  of  partial  orders  where  EMSO-logic  is  closed  under  complement. 
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Algebraic  Manipulations  and  Vector  Languages 

M.  W.  Shields 


1.  Introduction. 


Vector  languages  [3,  4]  stand  in  relation  to  Mazurkiewicz  trace  languages  [2]  in 
much  the  same  way  as  matrices  stand  in  relation  to  linear  transformations.  Given 
a  basis,  a  linear  transformation  determines  a  matrix;  given  an  indexed  cover,  a 
Mazurkiewicz  trace  determines  an  a-vector,  a  vector  of  strings.  The  advantage  of 
the  representations  in  each  case  is  that  they  are  in  some  sense  easier  to 
manipulate.  In  particular,  operations  such  as  concatenation  or  constructing  least 
upper  bound  may  be  performed  co-ordinatewise 

We  illustrate  this  claim  in  section  4,  in  which  we  prove  various  order 
theoretic  properties  of  the  monoid  of  a-vectors.  In  section  3,  we  show  that  this 
monoid  is  structurally  identical  to  a  monoid  of  Mazurkiewicz  traces.  These 
results  are  used  to  establish  properties  of  a  partial  order  semantics  for  a  class  of 
extended  automata,  the  hybrid  transition  systems.  In  particular,  we  show  that 
any  system  of  labelled  partial  orders  which  is  prefix  closed  with  respect  to  an 
ordering  interpretable  as  'is  an  initial  part  of  may,  up  to  isomorphism,  be 
generated  by  some  hybrid  transition  system  from  an  initial  state. 


2.  Hybrid  Transition  Systems. 

2.1.  DEFINITION.  A  hybrid  transition  system  is  a  6-tuple  H  - (Q, A,-*, 
where 

•  Q  is  a  set  of  (global)  states/, 

•  A  is  a  set  of  actions ; 

•  -*£  QxAxQ  is  the  transition  relation.  We  write  q}  q2  to  indicate  that 

(qu  &■/  ^2  ^  ^  *  / 

•  i  C  A  x  A  is  an  irreflexive,  symmetric  relation,  the  independence  relation ; 

•  E  is  a  set  of  events; 

•  \jl:  A -*<B( E),  where  *B(E)  denotes  the  set  of  bags  over  E . 


satisfying 
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(1)  If  q„q2,q3  CQ  and  a  EA  such  that  q  -**  < 7,  and  q  ^2,  then  <7,  =  g2 

(2)  If  quq2, q3  EQ  and  a,bEA  such  that  q,  q2  ~*b  q3  and  fli.fr,  then  there 
exists  f\2  EQ  such  that  q,  -*b  fj2  q3 . 

Informally,  if  q ,  (jf2  then  at  state  qt  it  is  possible  for  events  belonging  to  the 
bag  \i(a)  to  occur  simultaneously,  sending  the  system  to  state  q2 .  For  the  purpose 
of  this  paper,  we  shall  concentrate  on  asynchronous  systems,  and  treat  |x  as  a 
function  |x:  A  -*  E .  Thus,  if  <7,  — q2  then  at  state  qt  it  is  possible  for  the  event 
\i(a)  to  occur  sending  the  system  to  state  q2.  If  a  1  b,  and  both  <7,  -»■*  q2  and 
<7,  -*b  q3  then  it  is  possible  for  the  events  | x(a)  and  \i(b)  to  occur  concurrently 
from  state  q, .  Figure  1  pictures  a  hybrid  transition  system  in  which  the  states 
are  represented  by  dots  and  the  transition  relation  is  represented  by  labelled 
arrows.  For  example,  there  is  a  transition  <7,  -*a  q2  with  \i(a)  -  e.  The  shading  in 
the  lozenge  shape  indicates  that  a  1  b 

We  shall  now  describe  a  partial-order  semantics  for  hybrid  transition 
systems;  this  is  built  on  a  means  for  deriving  systems  of  partial  orders  from  a  left- 
closed  trace  language  as  developed  in  [1,  5,  6], 

Let  H  be  a  hybrid  transition  system  We  define  a  partial  function 
6tf;Q  x  A*  -*  Q  by 

®H(q/Q)  m  q 

Q„(q,x.a)  -  q'  QH(q,x)-*‘  q' 

where  Q  is  the  empty  sequence,  x  EA*  and  a  EA .  If  q0  EQ,  then  we  define 
L(H,q0)  -  (xEA*  1 0H(qo,x)  is  defined/ 
and  note  that  L(H,q0)  is  a  prefix  closed,  in  the  sense  that 
x EL(H,q0)  a  y  s  x  =>y  EL(H,q0) 
where  s  is  the  usual  prefix  ordering  on  strings. 


Figure  1 
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In  the  example  of  figure  1,  we  have  L( H,  qi )  -  { Q,  a ,  b,  ab,  ba,  abc,  bac } . 

We  define  to  be  the  smallest  congruence  relation  on  A *  such  that  if  a  i  b, 
then  ab  n^ba,  A  ^-equivalence  class  is  a  Mazurkiewicz  trace .  We  shall  write  xl  for 
the  asi -equivalence  class  of  xEA*.  and  denote  the  set  of  all  -equivalence 
classes  of  A*  by  A* .  A  trace  language  is  a  subset  of  A* . 

Since  is  a  congruence  relation,  we  may  make  A*  into  a  semigroup  by 
defining 

*-y. -(*y).  (2.1) 

We  may  also  define  what  may  easily  be  proved  to  be  a  partial  order  on  A*  by 

x  3z  EA*:  xt.  zv  -  yt  (2.2) 

Returning  to  hybrid  transition  systems,  we  associate  the  pair  (H,q0)  with  the 
trace  language 

TL(H,q0)-{Xl\xEL(H,q0)} 

and  note  that  TLfH,  q0)  is  a  prefix  closed,  in  the  sense  that 

x  ETL(H,q0)  a  yt  zxi  =>yt  ETL(H,q0) 

In  the  example  if  figure  1,  we  have 

TL(H,q0)  -  {Q%/al/bl/(ab)%  -  (ba)i/(abc)l  -(bac)J 

We  shall  say  that  an  element  xt  of  A*  is  prime  if  and  only  if 

Vyt,y2  EA*Vava2  EA:(yya, )t  -  xt  -  (yz.a2)v  =>  a,  -  a2 

and  define  X(xJ  to  be  the  unique  a  EA  such  that  xt  -(y.  a)K,  some  y  EA*.  Thus, 
for  each  xi  EA*,  we  may  define  a  labelled  partial  order  PO(xJ  -  (X,s,|ioX.), 
where  X  is  the  set  of  primes  £  xt.  The  interpretation  is  that  the  elements  of  X  are 
occurrences,  where  pt  is  an  occurrence  of  event  j xCk(pJ).  If  *p[  ,  then  pt 
occurs  before  p[ . 

Incidentally,  it  may  be  shown  that  these  elements  are  the  primes  of  At  *  in  the 
order  theoretic  sense;  if  a  prime  pt  lies  below  the  least  upper  bound  of  a  set,  then 
it  lies  under  one  of  the  element  of  that  set. 

In  the  example  of  figure  1,  the  primes  are  the  traces  aif  and  ( abc)i 

Thus,  if  H  -  (Q,A,-+,  l,E,|a)  is  a  hybrid  transition  system  and  q0  EQ,  then 
we  may  associate  the  pair  (H,  q0)  with  a  set  of  labelled  partial  orders: 
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PO(H,q0)  -  {PO(xJ\Xl  ETL(H,q0)} 

PCX  H,  q, )  for  the  example  of  figure  1  is  pictured  in  figure  2. 

Let  us  investigate  the  sets  PO(H,q0).  First,  we  define  a  relation  on  labelled 
partial  orders. 

2.2.  DEFINITION.  (X,, *„()>,;  if  and  only  if: 

(1)  X,CX2 

(2)  V.r, , x2  GX2:x,  s,  x2  <=>  x2  EX,  a  x.  s2  j2 

(3)  Vx  GX, :  <|>,  ( x)  -  <J)2  (x)  and  range( <(>,>  —  range( <}>2 ) 

<  is  easily  seen  to  be  reflexive,  antisymmetric  and  transitive,  so  restricting  it  to 
PO(H,q0)  turns  the  latter  set  into  a  partial  order.  The  ordering  relation  on 
PO(  H,  qt)  for  the  example  of  figure  1  is  shown  in  figure  2. 

A  set  of  labelled  partial  orders  is  prefix  closed  if  and  only  if 

P2  GS  a  P,  <  P2  =>  P,  E!B 

The  following  theorem  states  the  main  properties  of  this  construction.  For 
convenience,  if  U  EAf,  then  we  define  (Xu/zu,<pu)  -  PO(U)  and  if  P  -  (X,s,,§), 
then  we  define  Xr  -  X,  and  <j)p  «(|>. 

2.3.  THEOREM  .If  H  «  (Q,A,-*,  i,E,\x)  is  a  hybrid  transition  system  and  q0  GQ, 
then 

(1)  PO: TL( H,q0)~*  PO( H,  q0)  is  a  poset  isomorphism; 

(2)  PO( H,  qB)  is  a  prefix  closed  set  of  finite  labelled  partial  orders. 

PROOF.  (1)  Let  LI,  V  EAf.  It  is  immediate  that  if  li  >s  V,  then  Xu  C  Xy  and  that  if 
pEXu,  then  <$>u(p)  -  k(p)  -  <$>v(p)  and  range(tyu)  -  E  •range($v).  If  p„p2GXv/ 
then 

Pi  Pi  **  P.  s  Pz  A  PuPz  Pi  s  Pz  A  Pz  Exu  **  P.  Pz  A  Pz  £XU 


Figure  2. 
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and  we  have  established  that  PO(U)  ^PO(V).  It  is  now  clear  that  PO  is 
monotonic  and  onto.  To  complete  the  proof  of  (1)  we  need  the  following  order 
theoretic  property,  which  we  establish  in  section  4. 

uga;=*uxu  -U  (2.3) 

where  U  Xu  denotes  the  least  upper  bound  of  the  set  Xu .  From  this,  we  obtain 

PO(U)<  PO(V)  =*XuCXv=*U-UXa*UXv-V 

which  entails  that  PO  is  injective,  and  hence  bijective,  and  that  PO'1 2  is 
monotonic. 

(2)  It  is  clear  that  the  posets  in  POfH,^)  are  finite.  Suppose  that  U  EzTL(H,q0) 
and  P<PO(U).  We  need  another  order  theoretic  property,  which  we  also 
establish  in  section  4: 

(3 W  <E A  *  VZ  GP:  Z  s  W)  =>  U  P  EAt*  (2.4) 

It  then  follows  that  V  -  LI  PGA*  and  that  V  *U .  Since  TL(H,^0)  is  prefix 
closed,  V  ETLfH,  q0).  We  conclude  the  proof  by  showing  that  P  -  PO(V)  and  in 
view  of  the  definition  of  PO,  it  suffices  to  prove  that  Xp  -  Xv.  But  if  W  is  prime 
then  WEXP  zV  oW<EVp. 

QED 

Our  next  theorem  shows  that  up  to  isomorphism,  every  prefix-closed  system 
of  labelled  partial  orders  is  determined  by  an  initialised  hybrid  transition  system. 
This  means  that  our  automata  model  is  in  some  sense  capable  of  describing  any 
discrete,  discrete  system. 

2.4.  DEFINITION.  Labelled  partial  orders  (Xu^u^)  and  (X2/*2,$2)  are 
isomorphic  if  and  only  if  there  is  a  bijective  function  /:X,  X2  satisfying 

(1)  VXtX'EX^x^x' <*>f(x)*2f(x’); 

(2)  VxeX,:^(x)-$2(f(x)) 

We  write  (Xu*u$, )  ■  (X2,£2,<t)2)  to  indicate  that  (Xu*u$i)  and  (X2,*2,§2)  are 
isomorphic. 

2.5  DEFINITION.  Two  sets  of  labelled  partial  orders  and  $2  are  isomorphic  if 
and  only  if  there  exists  a  bijective  function  <5:2^  — *  <B2  such  that 

(1)  '1P,P’&B;.P<P'  o<t>(P)<<t>(P')) 

(2)  VPE^.P-OfP). 


r? 
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We  write  $,  a  $2  to  indicate  that  and  ®2  are  isomorphic. 

2.6  THEOREM  .  Suppose  that  $  is  a  prefix  closed  set  of  finite  labelled  partial 
orders,  then  there  exists  a  hybrid  transition  system  H  =  (Q,A,-*,  i,E,p)  and 
q0  EQ  such  that  ‘B  a  PO(H,q0). 

The  proof  of  this  theorem  uses  a  result  about  systems  of  partial  orders.  So  as 
not  to  introduce  too  long  a  break  in  this  exposition,  we  have  consigned  both  to  an 
appendix. 


3.  Vector  Languages. 

Let  A  be  a  set.  An  indexed  cover  for  A  is  a  function  a:  I  -*  ~  ( A)  satisfying 
|Ja(i)  =  A 

i& 


It  is  clear  that  the  relation  io  C  A  x  A  given  by 

aiab  **(ViEl:la,b}<±a(i))  (3.1) 

is  an  independence  relation.  On  the  other  hand,  if  i  is  an  independence  relation, 
then  there  exists  an  indexed  cover  a  such  that  i  -  io .  For  example,  define 

1  -{{a,b}CA\atb} 

and  let  a  be  the  identity  function. 

3.1.  EXAMPLE.  If  A-{a,b,c}  and  t,  -  {(a,b),(b,a)} ,  and  a: (1,2/ -*• "  (A)  is 
defined  by  a(1)  -  { a,c }  and  a(2)  -  { b,c I,  then  i  -  ia. 

3.2.  DEFINITION.  We  define  Ma  to  be  the  set  of  all  functions  x:I  — ►  ~  (A*) 
satisfying 

Vi  El:x(i)  <=a(i)*. 


If  I  -  fl,  then  we  may  represent  xEMa  as  a  tuple  (x(1),  ■■■,x(n)).  We  refer 

to  the  elements  of  M0  as  string  vectors. 

We  may  make  Ma  into  a  semigroup  and  partially  ordered  set  by  defining 


Vi  EI:(x.  y)(i)  -  x(i).y(i) 
xzy  (Vi  El:x(i)  s  y(i)) 


(3.2) 

(3.3) 
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Ma  has  as  semigroup  identity  and  poset  bottom  element  the  string  vector  Qa 
which  satisfies  ViELQJi)  -  Q. 

3.3.  DEFINITION.  If  a  EA,  then  we  define  the  string  vector  qa  by 


(a  if  aEa(i) 

|  Q  otherwise 


(3.4) 


We  define  the  set  Aa*  of  a  -vectors  to  be  the  submonoid  of  Ma  generated  by 
the  set  Aa  «  {aa  I  a  EA }.  Aa*  inherits  the  partial  order  structure,  including  the 
bottom  element,  from  Ma.  An  a-vector  language  is  a  subset  of  Aa*. 

In  example  3.1  above,  we  have  qa-(a,Q),  ba  ~(Q,b)  and  ca  ~(c,c). 

We  shall  occasionally  need  to  argue  by  induction  on  the  length  of  a  vector.  If 
xEA*  and  a  Ea(i)Da(j),  then  it  is  easy  to  see  that  x(i)  -  #4  x(j),  where  #fl  x 
denotes  the  number  of  occurrences  of  a  in  x.  We  may  therefore  unambiguously 
define  #a  x  -  #a  x(i)  where  a  Ea(i)  and  the  length  of  x  by 

It  is  not  hard  to  show  that  |Q0 1  -  0,  that  \aa\  - 1  if  a  EA  and  |x.  y|  -  |x|  +  jy|,  if 
x,y_EA*. 

We  also  define 


x  inda  y  fVz  El:x(i)  >  Q  y(i)  -  Q) 
and  observe  that  inda  is  an  independence  relation  which  satisfies 

xinday^>x.y-y.x  (3.5) 

Our  first  result  relates  the  order  structure  of  A*  to  its  monoid  structure 
3.4.  PROPOSITION.  x,y_EA* ,  then 
x  s  y  •*>  3z  G Aa*:  y  -  x.z 

PROOF.  The  <=  implication  is  trivial.  For  the  =>  implication,  we  argue  by 
induction  on  then  length  of  x.  The  base  case,  where  x  -  Qa,  is  also  trivial.  For  the 
induction  step,  we  have  aa  s  x,  some  aEA.  We  argue  that  there  exists 
such  that  x  -  aa.x 

Indeed,  since  aa  s  x,  we  may  write  x  -  xvaa.x2  where  -0.  If  aEa(i), 
then  asx/i).  a.x2(i)  and  so  Q.  Therefore  aaindx ,  and  by  (3.5) 

x  -  xvaa.x2  -aa.xrx2.  Thus  our  claim  holds  if  we  define  x^_  -  xt.x2.  Likewise, 
since  aa*xzy,  there  exists  y' EA*  such  that  y  -  aa.y' .  But  now,  since 
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aa (i). xYi)  s  ajihy^i),  it  follows  that  xTz)s  yYi),  each  i.  that  is,  f  sy'.  By 
induction,  there  exists  zGAa*  such  that  y'  =  xLz  and  y  =  aa.y’  =  aa.x^.z  -  x.z. 

~  QED 

If  x.z,  -  x.z2,  then  x(i).z,(i)  =  x(i).z2(i)  each  i.  and  so  z,(i)  =  z2(i)  each  i  and 
so  2,  -  z2 .  Hence,  the  vector  z  of  proposition  3.4  is  unique;  we  denote  it  by  y/x. 
We  shall  use  the  same  notation  for  sequences;  if  xsy,  then  y/x  is  defined  to  be 
the  unique  string  such  that  x.(y/x)-y. 

By  (3.1),  (3.2)  and  (3.4) 

aiaboa  inda  b  (3.6) 

aiab  <*>  a*b  Aa.b-b.a  (3.7) 

from  which  it  follows  that  if  i  -  io.,  then  the  monoid  epimorphism  fa:A  —  A* 
given  by  fa  (a1  ■  ■  ■  a" )  =  a\  ■  ■  ■  ana  satisfies 

Vx,y  GA*:x  «,  y  =>fa(x)  -  fjy) 

so  that  there  exists  a  monoid  epimorphism  <pa :  A*  —*  A*  given  by  <p  JxJ  -  fa(x). 
In  fact: 

3.5.  THEOREM.  The  function  cpa:  A  * -*  A/  satisfying  cp  JxJ-fJx),  all  xGA*,  is 
both  a  monoid  and  poset  isomorphism. 

PROOF.  We  first  show  that  <po  is  injective.  Since  we  know  that  cp„  is  a  monoid 
epimorphism,  this  shows  that  cpa  is  a  monoid  isomorphism. 

Suppose  that  X,  Y  GA,*  such  that  cpa(X)  -  <pJY)  and  let  x  GX  and  y  GY  be 
such  that  if  x'GX  and  y'GY,  then  |x  a  y|  a  |x' a  y'|.  Here  XAy  denotes  the 
longest  common  prefix  of  x  and  y  and  |x|  denotes  the  length  of  x .  We  prove  that 
x  -  y,  from  which  it  follows  that  X  -  Y. 

Suppose  x*y,  then  since  cpa(X)  -  <pJY),  we  may  write  x-u.a.v  and 
y-u.b 1  ■■■b'.a.io  such  that  a*b",  n  - 1, --.r.  Now,  <pa(X)  -  qpa(Yi  means  that 
fJu)-ia-fJv)mfa(u).Va  ■■■Va-aa.fa(w) 

and  so  if  aji)  >  Q,  then  aztf_a(i)---fr_ji).a.fjw),  and  since  a*b", 
we  must  have  b^Ji)  -  £2.  Thus,  for  all  n  - 1,  aa  inda  lf_a .  and  hence  a  iab" , 
by  (3.6)  and  (3.7),  so  if  we  define  y'  -  u.a.b'  ■■■br.w,  then  y' y,  so  that  y'GY. 
But,  |x  a  y|  <  |x  a  y'|,  the  desired  contradiction. 

Finally,  suppose  that  x,y  GA,  then 

x.  s  y(  <=>  3z.  EA*:xi.zi  -  yt,  by  (2.1)  and  (2.2) 

3z.  GA*:cpa(xJ.q>a(zL)  -  <pa(yt),  by  the  first  part  of  the  proof 
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**  a  z  EAa*:  (pjxj.z-  cp  JyJ 

<=>  s  (fjyj,  by  proposition  3.4. 

QED 


4.  Operations  with  Vectors. 

Consider  the  following  proof  that  every  non-empty  set  of  strings  has  a  greatest 
lower  bound. 

Suppose  that  0  C  X  C  A*.  If  for  no  a  EA,  is  it  the  case  that  a  *  x,  all  x  EX, 
then  the  greatest  lower  bound  of  X ,  denoted  by  n  X ,  exists  and  equals  Q . 
Otherwise,  we  may  form  the  set  X/a  -  fx/a  I  x  EXZ,  which  is  non-empty  By 
induction  (on  the  length  of  the  shortest  string  in  X ),  H  (X/a)  exists,  and  for  all 
u*Q 

u  s  a.(n(X/a))  o  u/a  ss  FI  (X/a)  Vx  EX:  u/a  x/a  <*>  Vx  EX:«  s;  x 
so  n  X ,  exists  and  equals  a.(H(X/a)). 

In  the  above  chain  of  equivalences  we  are  making  an  implicit  use  of  certain 
properties  of  strings.  For  example,  the  first  equivalence  uses  the  fact  that  the  set 
J x  of  prefixes  of  a  sequence  x  is  totally  ordered,  so  that  if  uza.v  and  u  #  Q  , 
then  azu  and  so  u/a  is  defined  and  u/a*v.  This  argument  cannot  be 
generalised  directly  to  vectors.  For  instance,  in  example  3.1,  we  have  and 
(a,  Q),(Q,b)  *  (a,b)  but  neither  (a,Q)  *(Q,b)  nor  (Q,b)  s  (a,  Q).  However: 

4.1.  LEMMA.  Suppose  x,yGAa*  and  a  EA,  then 

(1)  aa ,x&y  a  aa  4  x=>  aa  inda  x) 

(2)  x*aa.yAaa  inda  x=>x*y. 

PROOF.  (1)  If  it  is  not  the  case  that,  aa  inda  x  then  for  some  i  EZ,  aji)  >  Q  and 
x(i)  >  Q ,  so  that  a,  x( i)  *  y(  i)  and  so  a  s  x( i) ,  which  means  that  #  a  x  >  0  Hence, 
for  all  i  EZ,  if  aji)  >  Q  then  x(i)  >  Q  and  so  as  x(i).  But  then  aa  s  x. 

(2)  If  then  x(i)  *(aa.y)(i)  -  y(i),  whereas  if  aJi)>Q,  then 

x(/)-Q*y(7). 

QED 

Taking  these  additional  complications  into  account,  we  can  generalise  the 
above  argument  from  A*  to  Aa*. 

4.2.  PROPOSITION.  If  0  C  X  C  A* ,  then  X  has  a  greatest  lower  bound. 
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PROOF.  Suppose  that  0  C  X  C  A*.  If  for  no  a  EA,  is  it  the  case  that  aa  <;  x,  all 
xGX,  then  ("IX,  exists  and  equals  Q„.  Otherwise,  we  may  form  the  set 
X/aa  -  (x/aa  I  xEX},  which  is  non-empty.  By  induction  (on  the  length  of  the 
shortest  vector  in  X ),  l“l  (X/aJ  exists.  Suppose  that  u  EAa*.  If  aa  s  u,  then 

u  s  fla.(n(X/fla)>  u/aa  s  11  (XI a J  <=>  VxEX:u/aa  zx/aa  ■&>  VxEX:u&x 
whereas  if  aa  4  u,  then  by  lemma  4.1. 

u*ajn(XlaJ)  <«>  (aa  inda  mam  sll  (XI  a  J 

(«„  inda  m  a  Vx  GX:u  s  x/aa)  o  VxGX.usx 

son  X,  exists  and  equals  fla.(n(X/aa)j. 

QED 

The  advantage  of  a  vector  representation  is  well  demonstrated  in  the 
computation  of  least  upper  bounds;  both  the  existence  and  the  value  of  a  least 
upper  bound  may  be  determined  co-ordinatewise,  as  we  shall  show  in 
proposition  4.4.  First,  if  x,yGA*,  then  define 

2  **  y  **  Vi  Gl:x(i )  s  y(i )  v  y(i)  s  x(i)  (4.1) 

and  if  x**y,  then  define  x  v  y  EM0 

(x  v  y)(i)  -  max(x(i),y(i))  (4.2) 

We  prove  an  extension  of  lemma  4.1  (1). 

4.3  LEMMA.  If  x,y  EA/,  then 

x**y/^a  inda  y . 

PROOF.  If  it  is  not  the  case  that  aa  inda  y,  then  there  exists  iGI,  such  that 
aji)  >  Q  and  y(i)  >  Q.  As  aasi,  as  x(i),  and  as  either  x(i)  s  y(i)  or  y(i)  s  x(i), 
we  must  have  a  s  y(i).  Arguing  as  in  lemma  4.1,  we  conclude  that  aa  s  y . 

QED 

If  x,yGAa*,  then  we  denote  the  least  upper  bound  of  x  and  y  ,  if  it  exists,  by 
xiiy. 

4.4.  PROPOSITION.  If  x,yGA* ,  then 
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(1)  If  xU  y .  exists,  then  x++y; 

(2)  If  x++  y,  then  xU  y  exists  and  equals  x  v  y . 

PROOF.  (1)  If  z  -  xU  y,  then  for  all  i  El,  x(i),y(i)  js  z(i)  and  so  x  **  y  as  1  z(i)  is 
totally  ordered. 

(2)  It  is  clear  that  for  all  i  El,  (x  v  y)(i)  s  u(i)  o  x(i)  s  u(i)  a  y(i)  s  u(z)  and  so  it 
remains  to  be  shown  that  xvy  EAa*.  We  argue  by  induction  on  the  length  of  x. 
The  base  case,  x-Qa  is  trivial.  For  the  induction  step,  suppose  that  flasx. 

If  ia  22  Vf  then  a  co-ordinatewise  argument  gives  x!aa  +*  y /a( a;  for  example,  if 
x(i)*y(i),  then  x(i)/aji)  *y(i)laji).  By  induction  (x/aa)v  (y/aa)GAa*  so, 
xv  y  -  aa-((x/aa)  v  (y/aa))  EAa*,  as 

V/  E7:  maxf i),  yd)  ~  Z< J i)«  max((x( i)/aa  ( i))f  (yd) I aa  (i))) 

Otherwise  ao  ^  y  and  so  by  lemma  4.3  aa  inda  y .  Again,  a  co-ordinatewise 
argument  gives  x/aa+*y.  Indeed,  if  aJi)>Q,  then  y(i)-Qsx(i),  while 
otherwise,  (x/aa)(i)  -  x(i).  By  induction  (x/aa)v  yEAa*.  If  0a(D>Q,  then 
yfij  -  Q  and  so 

(aa.((x/ajy  y))(i)  -  a.max(x(i)la,Q )  -  xfi)  -  max(x(i),y(i))  -  (xvyXz) 

Otherwise  and  so  (aa.((x/aa)v  y))(i)  -max(x(i),y(i))  -(xv  y)(i)  and 

we  have  established  that  xy  3/  "  d«d(xlaa)  v  y)  EAa*. 

QED 

The  following  corollary,  together  with  theorem  3.5,  establishes  (2.4)  which  we 
used  in  the  proof  of  theorem  2.3. 

4.5.  COROLLARY.  If  X  C  A*  and  UX  exists  if  and  only  if  X  is  bounded  above 
and  then 

Vi  El:  ( U  X)(i)  -  U  Mi)  I  x  EX/ . 

PROOF.  If  U  X  then  X  is  bounded  above,  by  U  X .  Conversely,  suppose  that  X  is 
bounded  above  by  y,  say,  then  X  must  be  finite,  as  every  vector  may  have  only 

a  finite  number  of  distinct  prefixes.  If  X  is  empty,  then  LIX-Qa,  or 
X  -  {xu  ",xj,  n>  0,  X'  -  (x2,  "',xj  is  bounded  above,  by  y  so  by  induction, 

*>UX'  exists  and  }fi&:(UXtXi)^U{x(i)\x&C,t.  Both  x t  and  £  are 
bounded  above  by  y ,  so  x1  x*_,  so  x^U  x^  exists  and  consequently  x^U  Y-UX. 
Furthermore, 
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ViGI.-OJXXO-  x,llU{x(i)\xeX'}-U{x(i)\xeX}. 

QED 

We  now  establish  a  vector  version  of  (2.3),  thereby  completing  the  proof  of 
theorem  2.3.  We  shall  say  that  p  £Aa*  is  prime  if  and  only  if: 

Vu,vEAa*  Va,bEA:u.aa  -  p  -  v.ba  =>  a-b  (4.3) 

and  note  that  by  theorem  3.5,  if  pEA*,  then  pt  is  prime  if  and  only  if  tp a(pt  )  is 
prime.  We  write  Pra  for  the  set  of  primes  and  for  all  xEAa*  define 
X£  -  {p  EPr  a  \  psxf. 

4.6.  PROPOSITION.  For  all  x  EAa*,UXx.  exists  and  x  -  UX,. 

PROOF.  Since  X,  is  bounded  above  by  x,  UX,  exists  by  corollary  4.5  and 
LlX.sx.  To  complete  the  proof,  we  show  that  for  each  i  El,  there  exists  p  EXx 
such  that  p(i)  -  x(i)  and  appeal  to  corollary  4.5. 

Let  Y~{y  EAa*  lysrA  y(i)  -  x(i)} ,  then  Y  is  non-empty,  since  it  contains  x. 
Let  pEY  have  minimal  length.  If  p  is  not  prime,  then  there  exists  u,vEA*  and 
a,bEA  such  that  u.aa  -p-v.ba  and  a*b.  So  u(i).aji)  -  v(i).bji)  and  since 
a*b,we  cannot  have  aji),bji)  >  Q .  Without  loss  of  generality,  aji)  -  £2,  and 
now  we  have  u<pzx  and  u(i)  -  (u.aj(i)  -  p(i)  -  x(i),  so  that  uEY  and  has 
shorter  length  than  p,  a  contradiction. 

QED 

The  construction  of  primes  in  the  proof  of  proposition  4.6  may  be 
generalised,  as  follows.  Suppose  that  xEAa*  and  aEa(i),  then  an  element  of  the 
shortest  length  from  the  set  Y,  -  {y  EAa*  \y*x.aaAy(  i)  -  x(  i).  a}  is  prime,  and 
furthermore,  if  we  apply  this  construction  to  Y;,  where  aEa(j),  then  we  obtain 
exactly  the  same  vector.  We  denote  it  by  pra  (x,a). 

The  following  proposition  will  be  needed  in  the  proof  of  theorem  2.6,  which 
we  present  in  the  appendix. 

4.7.  PROPOSITION,  x  -  then  X,  -  (pr(£a  - £a,ak" )\0 &k  <r}. 

PROOF.  Certainly,  {pr(Ja  ■■  ■gk_a,ak")  1 0  s  k  <  r}  C  Xx,  while  if  u.aaEXx,  then 
H-ia  ”Pr(slo  ■•'SLa'11”')  where  a-aM  and  #aM-#ao^a  ■■■<£_*. 

QED 

We  conclude  this  section  with  a  useful  result  which  allows  us  to  factorise  the 
prefix  of  the  concatenation  of  two  vectors  as  a  concatenation  of  their  prefixes. 
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4.8.  PROPOSITION.  If  *,y,zEAa*,  then 

x  £  y.  z  =>  3  uf  v  E  A*:  u.v-XAusyAvzzAv  inda  (y/u) 

Consequently,  y-Z-x./y!  u), ( z/v) . 

PROOF.  Let  u-xUy,  then  u*x  and  so  we  may  define  v  -  x/u.  It  immediately 
follows  that  x-u.v  and  that  u  *  y . 

Now,  v  sz  (y/u).z  and  y/u  *  ( y/u).z .  So 

vH  (y/u)  -  (x/u) n  (y/u)  -  fxfl  y)/u  -  (xn  y)/(x  n  y)  -  Q0 

and  a  repeated  application  on  lemma  4.1  establishes  that  vinda  (y/u).  Finally, 
from  Msy  and  a  coordinatewise  argument,  we  may  conclude  that 
(y.z)/u  ~(y/u)-z,  so  v  -x/u  *(y.z)/u  -  (y/u).z.  This,  together  with  vinda  (y/u), 
entails  that  v  =z  z. 

QED 


5.  Conclusions  and  Related  Work. 

We  have  demonstrated  the  use  of  vectors  as  representations  of  traces  which 
simplify  certain  relations  and  constructions.  The  work  reported  here  is  actually 
part  of  a  larger  study  [7]  in  which,  among  other  things: 

•  Hybrid  transition  systems  are  labelled  by  bags  of  events  and  behaviours  are 
modelled  by  labelled  pre-orders;  the  induced  equivalence  relation  on  occurrences 
is  that  of  simultaneity. 

•  The  use  of  vectors  is  otherwise  illustrated  in  establishing  structure  theorems 
for  important  subclasses  of  the  class  of  vector  languages 

•  Hybrid  transition  systems  are  used  to  provide  a  non-interleaving  semantic  s 
for  a  variety  of  specification  notations,  from  Net  theory  to  CCS. 

•  The  machinery  of  category  theory  is  used  to  related  the  expressive  power  of 
the  specification  notations  on  the  basis  of  the  above  common  semantic  domain. 


Appendix:  Proof  of  Theorem  2.6. 

Before  we  prove  the  theorem,  we  need  the  following  property  of  sets  of  finite 
labelled  partial  orders. 
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PROPOSITION.  If  ®  is  a  prefix  closed  set  of  finite  labelled  partial  orders,  then 
there  exists  a  prefix  closed  set  of  finite  labelled  partial  orders  ®'  such  that 
®  =  ® '  and  that  for  all  P„  P2  G® 

P.  3  P2  o  Xp  C  X,,  (A.l) 

PROOF.  Let  M,  denote  the  set  of  all  P  G®  having  a  unique  maximal  element 
XfPj.If  PG®,  then  define  4>(P)  >  (Xp,sp,fp),  where 

•  Xp  =  ( P  GM,  \P  <  PI 

•  P,  sp  P2  <=>  P,  x  P2 

•  <?PfP)-(j)pafP)j 

and  let®'- WP)IPe®/. 

To  prove  (A.l),  it  suffices  to  show  that  if  P1,P2G®,  then 

A  A 

Xp  c XPi  =><!>(?,)  <®(P2),  and  in  view  of  the  definition  of  <&,  we  need  only 
establish  (2)  of  definition  2.2.  But  if  P, ,  P2  GXP; ,  then 

P,  P2  a  P2  GXP,  GXPi 

and  so 


P, 


P,1  P2  ~  P,  d  P2  A  P„P2  GXP  ^  P,  p2  A  P2  GXP, 


Since  (A.l)  holds,  to  show  that  <I>:®  -*■  ® '  satisfies  (1)  of  definition  2.5  we 
need  only  show  that  if  P„P2G®,  then  P,  ^  P2  Xp  C  XPj .  If  P,^P2,  then 

P  £=XP  =>  P  <P,  P  <P2=>  P  GXP> .  Conversely,  suppose  that  Xp  £XP;.  If 
x  GXP ,  then  define  |  t  x  -  (X,  s, «))),  where 


X  -  (y  GXP  I  y  sp  x) 

Vy,y'GX:ysy' o-ys,  y' 

VyGX:<Ky)-<(.p(y). 

We  note  that  Jp  xGXp  with  X(Jp  x)-x.  Hence  j p  x£XPi,  and  in  particular, 
1 P,  *  ^  P2/  so  x  GXP;  and  we  have  proved  that  Xp  C  XP; .  Since  J  p  x  x  P2,  we  also 
have  <J>P  (x)  -  <| \^(x)  -  <}>Pi(x)  and 


ys,  x»ystjix»ysPiX ax GX;  ^ys^ 


x  a  x  GXP 


C  2-" 
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Finally,  suppose  that  PE®,  then  it  is  straightforward  to  check  that  the 
function  cp;P  O(P)  given  by  cp(x)  -  (X,*,  $)  is  an  isomorphism ,  where 

X  -apylysp  xi 

y, « iPy2  y2 

-  $p(x). 

QED 


If  P  is  a  labelled  partial  order  and  XCX,  then  we  define 
P\X-(X,*P  n(XxX),$p\X) 

We  sketch  the  proof  of  theorem  2.6.  By  the  proposition,  we  may  assume  that 
fB  satisfies  P,  <  P2  o  Xp  C  XPj .  Define  H  -  (Q,  A,-*,  i, £, p),  where 


•  Q-0; 

•  a-1Jxp 

pe* 

•  p,  — 1  p2  xPi  c  xPi  a  xPt  -  xPi  -  {x} 

•  x,  i  x2  <=>  x,  i  x2  a  x2  i  x,  a  ("3P  G# :  xux2  GP) 

•  E  -  Uran^efitip) 

pea 

•  pOt)  -  e  <=>  3P  E®:*  EXP  Atyp(x)-e. 

If  P  -*x  Pt  and  P  “♦*  P2/  then  Xp  -  Xp  U  {x}  -  XPj  and  so,  by  the  assumption 
Pi  <  P2  *>  Xp  C  XPj,  we  must  have  Pt  -  P2.  Suppose  that  P  -**  Pt  and  P1  -*y  P2 
with  xiy  and  define  P \  -  P2|(XPj  -{x}),  It  is  not  hard  to  check  that  P^<P2, 

giving  PA  EfB ,  by  left-closure.  And  now,  P  -*y  Py  and  P 1  -+x  P2.  We  have  shown 
that  H  is  a  hybrid  transition  system 

Define  q0  to  be  the  empty  labelled  partial  order,  with  label  set  E.  We  now 
define  a  function  O,  which  we  shall  show  to  be  an  isomorphism  from  ®  to 
PO(H,^0>  is  given  as  follows.  Suppose  P  E® ,  and  let  Xp  -  {xu  ••• ,xn },  where  the 
numbering  is  such  that  x.  <p  xf  =>  i  <  j;  x1  -  xn  is  a  linear  ordering  of  P.  It  may 
be  shown  that  u  -  x1  **•  xn  EL(H,zj0 )  and  that  <P(P)  -  PO(uJ  does  not  depend  on 
the  particular  linear  ordering  chosen. 

Indeed,  it  is  not  hard  to  show  that  if  we  define  P.  -  P\{xu -/xi},  each  z,  then 
P1  ■<  P2  -P^  <  P  and  so  P.  E®  each  i,  by  left  closure.  We  also  have  qQ  ->*'  Pt 
and  P< -*x' Pi+1,  each  i,  and  so  u  -  x1  xn^L(H,q0).  If  x{ixM,  then 
x1  •••  xi+1.xf  •••  xn  is  also  a  linear  ordering  of  P  and  that  any  other  linear  ordering 
of  P  may  be  obtained  from  x1  ■  ■  xn  by  permuting  adjacent,  unordered  elements. 
Hence,  the  linear  ordering  of  P  form  a  *t-class  and  <$  is  well-defined. 

If  P1  x  P2,  then  any  linear  ordering  zz  of  P1  may  be  extended  to  a  linear 
ordering  i?  of  P2,  so  that  ui<zvi  and  consequently  PO(uJ  <PO(vJ,  as  was 
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established  in  the  proof  of  theorem  2.3.  Thus,  <t>  is  monotonic.  If  uGL(H,q0), 
then  ®(P)  -  PO(uJ,  where  P  -  Qh(cj0,u)  and  so  <I>  is  onto.  If  PO(uJ  <PO(vJ, 
then  s  vt  as  was  also  established  in  the  proof  of  theorem  2.3,  so  Xp  C  Xp  and 
hence  P,  <  P2,  by  (A.l).  Thus,  is  injective  and  3>"'  is  monotonic. 

The  isomorphism  from  P  to  <P(P)  will  be  defined  by 


By  proposition  4.7,  cp  maps  Xp  onto  XW!  and  so  <p  is  bijective.  If  r  <  x.  then 
i<j  and  x,  i  x,,  and  so  pr((x.  )  <  pr((x1  ■■■xj_^)i,xj).  Conversely,  if 

pr((x,---xiJi,xi)<pr((x,---xH)i/xj),  then  xiG{x,-  -xhJ  and  xjxj. so  x.<xr 
Thus,  q)  is  a  poset  isomorphism.  Finally: 

^u  (cp(xi))~<^u  (pr((xt  •••  x,.., I, x{ ))  -  (if*, )  ~<t>p ( x ) 

QED 
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Abstract 

Refinement  of  abstract  atomic  operations  is  considered.  The  temporal 
logic  I  STL*  is  used  to  demonstrate  a  two-stage  approach  to  verification  of 
such  refinements  for  distributed  systems.  In  each  refinement,  convenient  lower 
level  computations  are  first  shown  to  implement  upper  level  operations,  and 
then  in  the  second  stage,  all  other  computations  are  shown  to  be  equivalent 
to  one  of  the  convenient  ones.  The  equivalence  maintains  the  ordering  of  all 
causally  dependent  events,  but  allows  independent  events  to  occur  in  different 
orders.  The  advantage  of  this  separation  is  that  different  kinds  of  reasoning 
and  induction  can  be  used  for  the  two  aspects.  A  proof  rule  with  well-founded 
sets  is  proposed  for  the  proofs  of  equivalence.  The  approach  is  demonstrated 
for  a  refinement  that  adds  output  queues  between  processors  and  a  main 
memory. 


1  Introduction 

In  refinements  of  distributed  systems  high  level  atomic  operations  are  replaced  by 
collections  of  lower  level  operations  that  loosen  the  synchrony  among  distributed 
processors,  but  still  maintain  some  key  properties.  In  the  approach  to  justifying  the 
correctness  presented  here,  each  refinement  proof  is  divided  into  two  independent 
stages.  The  first  stage  shows  that  convenient  executions  of  operations  from  the 
next  lower  level  are  a  simple  refinement  of  executions  from  the  upper  level,  and 
can  be  demonstrated  correct  using  standard  refinement  mappings.  The  convenient 
executions  are  precisely  those  where  the  lower  level  operations  that  implement 
a  higher  level  one  appear  as  a  subsequence,  with  no  other  lower  level  operations 
interspersed.  These  are  legal  lower  level  executions,  even  if  they  are  unlikely  to  occur 
in  practice  because  the  operations  are  distributed  in  a  collection  of  asynchronously 
executing  processors.  A  mapping  function  from  each  convenient  execution  to  some 
abstract  computation  is  generally  simple  and  iterative.  After  this  first  stage,  we 
have  only  shown  that  every  convenient  execution  sequence  is  a  refinement  of  some 
higher  level  abstract  execution. 

*This  research  was  supported  by  the  Fund  for  the  Promotion  of  Research  in  the  Technion. 
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Then  we  show  that  every  additional  execution  sequence  at  the  lower  level  is 
equivalent  to  one  of  the  convenient  ones.  This  stage  could  be  considered  as  a 
‘loosening’  of  the  ordering  imposed  by  the  convenient  executions. 

The  two-step  reasoning  at  each  level  saves  having  to  directly  relate  each  lower 
level  sequence  through  a  mapping  to  an  upper  level  one,  as  is  done  in  other  proof 
methods.  Although  such  a  mapping  exists,  the  use  of  history  and  prophecy  vari¬ 
ables  may  be  required.  The  mapping  may  be  extremely  difficult  to  express  and 
justify  because  the  collection  of  lower  level  operations  that  can  be  considered  the 
‘implementation’  of  an  upper  level  one  is  interleaved  with  an  arbitrary  number  of 
operations  that  implement  other  higher  level  operations.  Thus  it  is  difficult  to 
obtain  an  iterative  proof  that  is  uniform  for  all  the  computations  when  a  direct 
mapping  is  required.  Note  that  the  difficulty  is  not  in  the  proof  obligations  once 
appropriate  mappings  and  invariants  are  found,  but  in  the  conceptual  complexity 
in  suggesting  appropriate  candidates  for  mappings  and  intermediate  assertions.  In 
contrast,  here  we  claim  that  the  reasoning  used  is  not  far  from  that  used  intuitively 
by  designers  of  such  systems. 

The  refinement  we  consider  here  could  be  one  step  in  a  derivation  and  ver¬ 
ification  of  a  cache  consistency  protocol.  In  this  example,  we  will  require  that 
the  refinement  maintain  what  is  known  as  sequential  consistency.  Intuitively,  this 
means  that  the  projection  of  local  events  of  each  processor  is  consistent  with  use 
of  a  serial  memory,  even  if  a  version  with  queues  and  local  caches  is  used  instead. 
Although  this  is  natural  in  the  context  of  cache  consistency  protocols,  note  that 
there  are  other  applications  of  the  refinement  verification  technique  that  have  no 
such  requirement. 

The  temporal  logic  I  STL*  is  used  to  express  the  properties  of  computations.  It 
is  based  on  the  idea  of  a  partial  order  computation  which  is  simply  a  maximal  set 
of  occurrences  of  operations  (called  events)  of  a  distributed  system  that  have  some 
partial  ordering  among  them.  The  ordering  includes  any  causality  required  among 
events,  and  may  have  additional  restrictions.  Events  which  are  ordered  are  called 
dependent ,  and  the  others  are  independent.  A  program  or  system  defines  a  collection 
of  such  partial  order  computations.  As  shown  previously  in  [KP90,  KP92b,  KP92a], 
the  collection  of  all  linearizations  of  the  events  that  are  consistent  with  the  partial 
order  can  be  considered  in  a  temporal  logic  framework.  Each  linearization  generates 
an  execution  sequence,  which  is  a  sequence  of  alternating  events  and  global  states. 
All  such  execution  sequences  generated  from  a  given  partial  order  computation 
define  an  interleaving  set  and  are  considered  equivalent.  Intuitively,  two  execution 
sequences  will  be  equivalent  if  they  differ  only  in  that  strictly  independent  events 
are  executed  in  a  different  order  in  the  two  sequences. 

In  I  STL* ,  a  branching  time  assertion  is  interpreted  as  true  for  a  distributed 
system,  if  it  is  true  for  every  interleaving  set  of  the  system.  This  is  analogous 
to  the  standard  interpretation  of  a  linear  temporal  logic  assertion  being  true  of  a 
system  if  it  holds  for  every  execution  sequence.  Then  it  is  easy  to  express  that 
each  equivalence  class  has  some  execution  sequence  satisfying  a  property  p,  simply 
as  Ep ,  using  the  existential  modality  E .  This  allows  easy  expression  of  the  claim 
that  every  equivalence  class  has  a  convenient  execution.  Such  properties  are  often 
natural  for  distributed  systems  and  allow  expressing  specifications  for  problems 
such  as  database  serializability,  distributed  snapshots,  and  sequential  consistency 
of  cache-based  shared  memory  systems. 
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The  logic  also  is  natural  for  a  proof  of  equivalence  which  is  global,  using  temporal 
logic  assertions  about  the  entire  computation,  along  with  formulas  that  encode 
which  operations  are  independent  of  each  other. 

In  previous  proofs  of  assertions  with  Ep  [KP92b,  PP90],  the  two  stages  suggested 
here  were  mixed  together.  The  motivation  for  showing  both  properties  at  once  is 
to  allow  a  classic  iterative  proof  on  the  computation,  maintaining  compositionality 
and  modularity  in  the  proof.  At  each  step  we  can  assume  both  that  p  is  true 
for  (some  extension  of)  the  parts  of  the  computations  considered  so  far,  and  that 
sufficient  computations  are  being  included  so  that  every  computation  is  equivalent 
to  one  of  those  explicitly  considered.  This  allows  compositional  proofs  and  proof 
rules  to  be  used,  but  has  the  price  of  complicated  proof  rules.  In  the  inductive 
step,  it  is  necessary  to  show  that  the  states  reached  so  far  all  have  a  possible  next 
state  that  will  both  maintain  p  and  extend  the  existing  computations  to  sufficient 
representatives.  Here,  different  kinds  of  reasoning  can  be  used  for  the  two  subproofs. 

The  rest  of  this  paper  is  structured  as  follows.  In  Section  2,  the  idea  of  (con¬ 
venient)  interleaving  sequences  and  the  dependency  relation  is  explained  in  greater 
detail.  The  implications  for  independence  of  queue  operations  are  also  examined. 
The  temporal  logic  I  STL*  is  then  briefly  described  in  Section  3.  In  Section  4, 
a  precise  definition  of  sequential  consistency  in  terms  of  I  STL*  is  given.  In  this 
framework  the  needed  restrictions  on  the  independence  relation  are  defined,  as 
is  the  implementation  of  a  collection  of  execution  sequences  by  another  collection. 
Then  the  correctness  requirements  are  defined  for  any  refinement  that  maintains  se¬ 
quential  consistency,  using  convenient  executions  and  equivalence.  A  proof  method 
based  on  well  founded  sets  is  presented  to  show  that  each  execution  sequence  is 
equivalent  to  some  convenient  one. 

Section  5  treats  the  replacement  of  an  abstract  sequential  global  memory  by 
a  less  synchronized  version  with  queues  between  the  processors  and  the  global 
memory.  In  the  abstract  version,  each  processor  can  execute  atomic  read  and  write 
operations  directly  from  the  memory.  In  the  lower  level  version,  a  processor  can 
only  write  to  a  local  queue,  while  later  the  head  of  the  queue  is  written  to  the 
memory  internally.  This  is  one  basic  step  in  a  series  of  refinements  that  can  be 
used  to  derive  a  caching  protocol.  The  proof  obligations  are  presented  as  temporal 
logic  implications.  Using  the  properties  of  queues,  it  is  easy  to  define  convenient 
executions  for  them  and  show  that  these  implement  the  more  abstract  level,  and 
maintain  sequential  consistency. 

The  next  crucial  step  involves  showing  that  each  lower  level  execution  sequence 
is  equivalent  to  some  convenient  sequence,  through  a  proof  involving  well-founded 
sets.  To  guarantee  this  equivalence,  reading  from  memory  is  restricted  on  the 
implementation  level.  Care  must  be  taken  in  defining  which  events  are  dependent, 
in  order  to  obtain  the  appropriate  equivalence  relation  for  sequential  consistency. 
Section  6  summarizes  the  approach. 


2  Defining  dependencies  and  convenient  execu¬ 
tions 

Definition  1  (Execution  sequence)  An  execution  sequence  p  is  an  alternating 
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sequence  of  states  and  events  (occurrences  of  operations)  denoted  croaooqai ...  For 
each  state  (jj  in  the  sequence ,  a =  0^(0*,).  The  subsequence  of  states  is  denoted 
by  a,  and  the  subsequence  of  events  is  denoted  by  a . 

The  terms  'execution  sequence’  and  'computation’  are  used  interchangeably  in 
the  continuation.  To  apply  the  methodology,  the  independence  of  operations  must 
be  made  explicit  in  a  relation  among  events,  and  equivalence  among  execution 
sequences  under  the  independence  relation  must  be  defined.  Knowledge  of  the 
independence  relation  is  essential  for  the  loosening  stage,  which  involves  precise 
reasoning  about  which  operations  are  independent  in  which  states.  Each  operation 
is  viewed  as  a  guard  c  (i.e.,  a  condition  for  applicability  on  the  state  s)  followed  by 
a  command  /  that  is  simply  a  function  of  s  (with  the  operation  written  c  ->-/),  as 
in  [ABM93].  Note  that  such  an  interpretation  of  an  event  is  reasonable  only  when 
a  state  is  assumed  as  a  semantic  object,  as  part  of  the  definition  of  an  execution 
sequence. 

Definition  2  (Conditional  independence)  Two  operations ,  opl  and  op2  of  the 
form  cl  — y  f  1  and  c2  — »  f2,  respectively,  are  independent  in  a  state  s,  denoted 
s  =>  I(opl,op2),  if  beginning  in  state  s  neither  affects  the  truth  of  the  other's 
guard,  and  the  result  of  executing  them  in  either  order  is  the  same,  i.e., 

cl(s)  =>  (c2(/l($))  c2(s)) 

c2(s)  =>  (cl(f2(s))  &  cl(s)) 

(cl(s)  A  62(3))  =►  (/l(/2($))  =  /2(/l(s))). 

The  definition  above  is  known  as  conditional  independence[ KP92a]  because  a 
pair  of  operations  may  be  dependent  in  some  states,  and  independent  in  others. 
The  states  in  which  two  operations  are  independent  are  defined  by  a  state  predi¬ 
cate.  Two  execution  sequences  are  considered  equivalent  if  they  differ  only  in  that 
independent  operations  appear  in  a  different  order,  but  all  dependent  operations 
appear  in  the  same  order.  More  formally, 

Definition  3  (Equivalence)  Two  execution  sequences  po  and  pn  are  equivalent 
under  independence  relation  I  (denoted  po  =/  pn)  if  they  are  the  first  and  last 
elements  in  a  sequence  of  execution  sequences  that  each  contain  the  same  collection 
of  operation  occurrences  and  for  each  adjacent  pair,  if  pi  has  the  form  usat\/3v  then 
pi+i  has  the  form  usftiiOiV  where  s  — ►  /(a,/?). 

This  definition  means  that  the  operation  occurrences  of  one  are  a  permutation  of 
those  in  the  other,  and  one  can  be  reached  from  the  other  by  repeated  interchanging 
of  events  from  states  in  which  they  are  independent. 

As  a  particularly  relevant  example,  we  consider  the  dependencies  for  a  queue  q 
with  operations  emptyq (),  putq(e),  and  getq(e),  where  e  is  a  data  element. 

When  the  queue  is  nonempty,  then  putq(e)  is  independent  of  getq(f): 

{-^emptyq ())  =>  I(putq,getq)  (1) 

When  the  queue  is  empty,  a  putq  and  a  getq  operation  will  be  dependent: 

emptyq ()  =>  ^I{putq,getq)  (2) 
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All  adjacent  pairs  of  putq’s  are  dependent: 

~<{I(putq,putq)) 

All  adjacent  pairs  of  getq’s  are  dependent: 

-'{I(9etq,getq))  (4) 

The  first  rule  is  intuitively  true  because  a  putq  and  a  getq  by  different  processors 
on  a  nonempty  queue  are  done  at  opposite  ends  of  the  queue,  and  never  involve 
the  same  item.  This  is  not  so  when  the  queue  is  initially  empty,  as  seen  in  rule 
(2).  In  that  case  the  getq  operation  must  follow  a  putq.  Note  that  if  only  complete 
independence  of  operations  were  expressible,  we  would  not  be  able  to  exploit  the 
above  independence  in  those  states  when  the  queue  is  nonempty. 

Rules  (3)  and  (4)  follow  from  the  fact  that  the  contents  of  the  queue  differ 
according  to  the  order  of  putq  s,  while  the  states  of  the  rest  of  the  system  differ  if 
getqs  are  done  in  a  different  order.  Therefore  those  operations  are  not  independent 
because  the  final  state  differs  according  to  the  order  in  which  they  are  executed. 

Here  the  independence  relations  above  are  viewed  as  given  assumptions  that 
are  part  of  the  definition  of  a  queue.  Alternatively,  an  algebraic  specification  of 
the  queue  operations  can  be  defined  as  in  [GH93]  to  express  that  the  value  at  the 
head  of  the  queue  is  the  oldest  one  put  in  that  has  not  yet  been  removed.  Then  the 
independence  relations  (1)  -  (4)  can  be  derived  from  the  algebraic  queue  axioms  and 
the  definition  of  conditional  independence.  In  Section  5,  a  temporal  logic  version 
of  the  queue  axioms  is  introduced. 

3  The  logic 

The  version  of  temporal  logic  used  in  this  paper  is  an  adaptation  of  the  logic  I STL* 
introduced  in  [KP90],  with  additions  to  facilitate  showing  equivalence  of  execution 
sequences.  Most  of  the  operators  are  those  of  CTL*  [EH86],  but  interpreted  as 
true  for  a  system  if  they  hold  for  each  interleaving  set.  The  semantics  of  a  system, 
denoted  M,  is  thus  the  collection  of  interleaving  sets-  each  a  set  of  equivalent 
execution  sequences-  that  are  possible  from  each  state.  An  interleaving  set  is 
defined  as  an  equivalence  class  of  execution  sequences  for  an  independence  relation 
L  The  syntax  is  thus  standard,  and  the  semantics  (implicitly)  universally  quantifies 
over  the  interleaving  sets.  In  other  temporal  logics,  the  assertions  are  interpreted 
over  sequences  of  states.  Here,  we  consider  them  over  the  derived  sequence  of  states 
from  an  execution  sequence  of  alternating  states  and  events.  Arbitrary  atomic 
predicates  are  assumed,  where  each  predicate  is  true  for  a  subset  of  the  states, 
and  false  for  the  complement.  Thus  for  a  predicate  without  temporal  modalities, 
if  an  individual  state  is  considered,  s  (=  p  is  equivalent  to  p(s).  For  a  sequence,  we 
evaluate  a  predicate  in  the  first  state: 
cr  (=  p  —  is  cr0  | =  p,  when  p  has  no  temporal  modalities 

There  are  two  kinds  of  temporal  modalities  in  the  logic.  The  modalities  E 
and  A  are  known  as  state  modalities  because  they  deal  with  all  of  the  possible 
continuations  from  a  given  global  state.  The  other  modalities  (F,  G,  X,  and  U ) 
are  known  as  path  modalities  since  they  deal  with  restrictions  on  a  given  execution 
path. 
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For  the  path  modalities,  their  semantics  is  given  for  a  subsequence  of  states  cr 
derived  from  an  execution  sequence  p.  We  have: 
a  \=  Fp  -  for  some  state  in  cr,  p  is  true,  Bi.cq  \ =  p 
a  |=  Gp  -  for  every  state  in  cr,  p  is  true,  Vi.cq  \=  p 
a  j=  Xp  -  for  the  next  state  in  cr,  p  is  true,  cri  \=  p 

a  h  pUq  ~  p  is  true  in  states  of  cr  until  q  becomes  true  (and  q  does  become  true), 
3i.Vj.(Q  <  j  <  i  =>  <Tj  f=  p)  A  <Ti  (=  q 

On  the  other  hand,  an  assertion  beginning  with  a  state  modality  is  true  if  it  is 
true  for  every  interleaving  set  of  executions  beginning  from  that  state.  Since  the 
system  M  is  now  a  set  of  interleaving  sets  of  execution  sequences,  we  will  quantify 
over  these  sets  also.  In  particular: 

(M,s)  \=  Ap  -  for  every  computation  in  each  interleaving  set  of  M  from  s,  p  is 
true,  VL  E  M.Vcr  E  L.s  =  a0  =>  (<j  \ =  p) 

(M,  s)  [=  Ep  -  for  some  computation  in  each  interleaving  set  of  M  from  s,  p  is  true, 
VL  E  M.3cr  E  L.s  =  cr0  =>■  (a  f=  p) 

Such  assertions  are  said  to  be  true  of  a  system  if  they  are  true  in  the  initial 
state  of  the  system.  To  facilitate  reasoning  about  sequences  of  operations,  we  add 
some  conventions.  First,  an  operation  name  also  serves  as  a  state  predicate  that  is 
true  precisely  when  that  operation  was  executed  in  the  transition  from  the  previous 
state.  (An  alternative  temporal  logic  that  treats  operations  more  directly  can  be 
seen  in  Lamport’s  TLA  [Lam94]).  Then  sequences  of  operations  (or  other  predi¬ 
cates)  can  be  denoted  using 


Definition  4  (Sequencing)  is  a  concise  notation  for  the  temporal  logic  as - 

section  X(s  A  Xt)  (in  the  next  state  s  holds ,  followed  by  a  state  with  t ). 

Sequencing  relates  to  a  single  execution  sequence  and  can  be  preceded  by  E  or  A. 
A  longer  sequence  is  written  “s]t;  u; ...”  and  is  the  obvious  generalization. 

The  notation  =  1,  n)”  is  used  to  denote  a  sequence  executing  an  s,-  oper¬ 
ation  on  each  processor  i  in  turn,  i.e.,  “si;s2;  Note  that  all  such  sequences 

are  simply  temporal  logic  assertions  using  the  next  operator  X . 

An  expression  EFEGp  means  that  in  each  interleaving  set  there  is  a  computa¬ 
tion  such  that  eventually,  there  is  a  state  such  that  for  each  interleaving  set  there 
is  a  computation  such  that  along  the  computation,  p  is  true  in  all  states  from  that 
point.  In  the  starred  version  of  the  logic,  I  STL* ,  there  is  no  restriction  on  which 
combinations  of  the  temporal  operators  are  allowed.  When  temporal  logics  are  used 
in  model  checking  of  finite  state  programs,  as  is  done  for  CTL ,  it  is  common  to 
restrict  the  combinations  to  facilitate  efficient  checking.  In  particular,  the  state 
modalities  E  and  A  are  required  to  alternate  with  the  other  (path)  modalities. 
Although  many  aspects  of  the  specification  below  can  be  treated  in  ISTL  with  al¬ 
ternating  state  and  path  modalities,  here  we  do  not  treat  whether  such  restrictions 
allow  sufficient  expressibility,  since  in  any  case,  model  checking  techniques  are  not 
used. 

Additional  information  on  I  within  the  temporal  descriptions  of  computations 
means  that  more  execution  sequences  can  be  proven  equivalent.  In  some  sense  the 
equivalence  classes  are  demonstrably  larger  and  fewer  convenient  executions  are 
required  to  guarantee  that  each  equivalence  class  contains  a  convenient  execution. 


4  Expressing  independence  and  allowed  compu¬ 
tations 

As  noted  in  the  Introduction,  the  refinement  here  will  maintain  sequential  consis¬ 
tency  among  a  group  of  processors.  The  definition  of  sequential  consistency  given 
in  [ABM93]  is: 

A  memory  M  is  sequentially  consistent  with  respect  to  a  serial  memory 

Af, serial  >  iff 

Vcr  G  Beh(M)3r  E  Beh{Mseriai)ii  =  1 . .  .n  a\i  =  r\i 

Beh(M)  is  the  set  of  execution  sequences  associated  with  Af,  and  Beh(M9eriai)  is 
the  set  where  read  and  write  operations  are  atomically  done  on  the  global  memory. 
The  above  asserts  that  the  projections  of  a  general  execution  on  each  processor  are 
the  same  as  those  in  some  execution  using  a  serial  memory,  even  though  the  general 
execution  may  have  extra  internal  steps  associated  with  the  memory,  so  that  a 
write  operation  may  not  affect  the  memory  directly.  Note  that  in  that  formulation, 
there  are  no  abstract  operations:  all  read  and  write  operations  are  considered  the 
same,  even  though  there  is  a  great  difference  between  a  write  that  directly  affects 
a  central  memory  atomically,  and  one  to  a  queue  that  eventually  will  have  its  value 
transferred  elsewhere.  To  express  this  in  a  context  with  refinement,  the  behavior 
of  the  serial  memory  is  viewed  as  a  sequence  of  abstract  atomic  read  and  write 
operations  that  satisfy  the  usual  memory  consistency  requirements  (to  be  defined 
below).  In  a  refinement,  these  are  shown  to  correspond  to  lower  level  convenient 
sequences,  where  each  abstract  operation  is  implemented  as  a  series  of  lower  level 
operations,  and  where  an  abstract  write  will  only  be  associated  with  a  single  lower 
level  write  in  the  sequence,  and  the  same  for  a  read. 

In  order  to  define  the  requirements  within  the  suggested  framework,  at  each  level 
of  refinement  a  formula  Gen,-  (standing  for  general)  is  used  to  describe  the  collection 
of  general  execution  sequences  at  that  level,  as  those  satisfying  the  restrictions  seen 
in  the  formula.  For  each  level  except  the  first,  an  additional  assertion,  called  Conj 
(for  convenient ),  is  used  to  describe  additional  restrictions  that  define  a  subset  of 
the  computations  satisfying  Gen,*. 

The  highest  level  abstract  read  and  write  operations  will  be  described  by  a 
formula  Geno.  To  capture  the  intuition  of  reading  and  writing  into  memory,  we 
express  that  the  value  returned  for  a  variable  or  memory  location  x  in  an  action 
read(c,  x)  (meaning,  read  the  value  c  in  the  variable  x)  is  the  last  value  written  into 
it  by  a  write(d ,  x)  (that  is,  write  the  value  d  in  variable  x)  action,  in  the  assertion: 

AG((write(d,  v)  A  X(V6(-»tt>rite(6,  v))f/rea<f(c,  v)))  =>  c  =  d)  (5) 

This  is  known  as  read/ write  consistency  and  is  a  fundamental  assumption  when 
truly  atomic  reads  and  writes  are  being  used.  It  states  that  if  write(d,  x)  has 
just  been  executed,  and  from  the  next  state,  there  is  no  write  action  to  x  with 
any  value  until  a  read(c,x)  action  is  executed,  then  the  value  read  is  the  one 
previously  written.  Note  that  if  there  is  an  intermediate  write  with  the  same 
value  as  d)  then  the  left  side  of  the  implication  does  not  hold  in  the  state  after 


the  first  occurrence  of  write(d,  x),  but  instead  the  assertion  must  hold  from  the 
later  write(d,  x),  where  the  left  side  of  the  implication  is  true,  and  thus  c  =  d  still 
must  be  true.  This  requirement  does  not  seem  to  appear  explicitly  in  [ABM93]. 
However,  the  operations  there  are  defined  using  a  Memory  data  structure  (an  array 
representing  the  contents  of  memory),  and  the  effects  of  the  atomic  operations  are 
defined  so  that  a  value  can  be  returned  for  a  variable  only  if  it  is  the  latest  value 
written  to  that  variable.  Thus  the  same  consistency  requirement  is  simply  given 
implicitly. 

Read/write  consistency  says  nothing  about  a  read  operation  on  a  variable  never 
written  to.  Among  the  common  default  assumptions  are  that  a  fixed  initial  value 
is  then  read,  that  the  value  read  is  arbitrary,  or  that  such  an  operation  is  illegal. 
In  the  continuation,  we  do  not  treat  this  issue,  since  whatever  assumption  is  made 
on  the  abstract  level  can  be  easily  implemented  in  the  refinements.  If  a  fixed  initial 
value  is  assumed,  dummy  initialization  operations  can  be  assumed  at  the  beginning 
of  every  computation.  The  simplest  assumption  for  verification  is  that  such  a  read 
operation  of  an  undefined  variable  is  never  attempted  on  the  abstract  level,  and 
thus  the  issue  will  also  not  arise  in  refinements. 

As  part  of  the  specification  of  sequential  consistency,  the  operations  are  aug¬ 
mented  with  subscripts  that  identify  the  processor  in  which  they  are  executed  (e.g., 
write 3  is  associated  with  processor  3).  Since  the  operations  are  atomic  and  global 
in  effect,  this  association  has  no  other  significance,  but  does  establish  a  local  order¬ 
ing  for  each  execution  sequence  that  must  be  maintained  by  subsequent  refinements 
in  order  to  show  sequential  consistency.  Thus  Gen0  is  the  above  equation  with  all 
possible  combinations  of  subscripts  added,  for  every  possible  state,  namely: 

For  all  processors  i  and  k  (where  j  also  quantifies  over  processors), 

AG((writei(d,  v)  A  X(VjVb(-iwritej  (6,  v))Ureadk(c,  i>)))  =>  c  =  d)  (6) 

The  execution  sequences  defined  by  Geno  can  be  identified  with  M,eria/. 

At  the  next  level,  where  queues  and  delayed  memory  writes  are  defined,  another 
temporal  logic  formula  Geni  will  define  all  legal  computations,  and  the  additional 
properties  true  of  those  computations  that  trivially  implement  the  abstract  ones 
will  be  described  in  Con\.  The  computations  defined  by  Coni  also  need  to  be 
shown  not  to  effect  the  ordering  of  local  operations  seen  in  the  serial  memory. 

As  part  of  the  proof  requirements  of  a  refinement,  it  is  necessary  to  express  as  a 
formula  in  the  logic  which  adjacent  operations  in  an  execution  are  independent  and 
which  are  not.  This  is  used  in  proving  that  each  execution  sequence  of  the  system 
is  equivalent  to  a  convenient  one  within  the  logic. 

The  independence  relation  must  be  defined  so  that  it  reflects  sequential  consis¬ 
tency.  That  is,  the  local  operations  of  each  processor  must  be  unchanged  for  any 
two  computations  that  are  to  be  considered  equivalent.  Thus  we  assume  a  total 
order  (i.e.,  non-independence)  among  local  operations  of  a  single  processor.  Since 
this  order  must  be  maintained  for  all  equivalent  execution  sequences,  we  obtain 
the  identity  of  local  projections  for  every  two  equivalent  execution  sequences,  as 
required  in  the  definition  of  sequential  consistency. 

Before  stating  the  requirements  for  a  correct  refinement,  some  definitions  and 
properties  of  the  needed  independence  relation  are  summarized. 
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Definition  5  An  independence  relation  I  is  known  as  s.c.  independent  if  for  any 
two  operations  a{  and  bi,  local  to  processor  i, 

-’/(a,- ,  6t)  (7) 

Lemma  1  If  two  sequences  differ  by  one  exchange  that  occurs  in  a  state  that  sat - 
isfies  the  s.c .  independence  condition  I ,  and  one  of  the  sequences  is  sequentially 
consistent ,  then  so  is  the  other. 

Proof:  by  requirement  7  two  local  operations  from  a  single  processor  do  not  satisfy 
/,  and  thus  these  could  not  be  the  operations  exchanged.  Therefore  the  exchange 
does  not  change  the  order  of  the  operations  for  any  single  processor,  and  the  pro¬ 
jections  for  each  processor  are  identical  in  the  two  sequences.  Since  the  definition 
of  sequential  consistency  only  relates  to  these  projections,  if  one  sequence  satisfies 
the  definition,  so  does  the  other.  □ 

Lemma  2  If  two  sequences  are  equivalent  under  an  s.c.  independence  relation  I, 

and  one  is  sequentially  consistent ,  then  so  is  the  other. 

Proof:  Since  the  two  execution  sequences  are  equivalent  under  /,  there  is  a  sequence 
of  sequences  that  each  differ  by  one  exchange.  The  lemma  follows  by  repeated 
application  of  Lemma  1.  □ 

Lemma  3  If  Gen  =>  E  Con  for  an  s.c.  independence  relation  I  and  Con  de¬ 

fines  computations  that  are  sequentially  consistent ,  then  all  sequences  in  Gen  are 
sequentially  consistent. 

Proof:  Computations  defined  by  Con  are  sequentially  consistent  by  assumption. 
E  Con  means  that  every  equivalence  class  of  Gen  has  at  least  one  such  computation. 
The  result  follows  by  Lemma  2.  □ 

In  showing  a  refinement  to  a  lower  level,  the  legal  computations  of  the  implemen¬ 
tation  are  described  as  temporal  logic  predicates.  This  in  fact  encodes  the  essential 
properties  of  the  implementation,  including,  for  cache  consistency,  restrictions  on 
when  a  read  action  is  possible. 

Moreover,  predicates  are  needed  that  make  the  independence  of  adjacent  opera¬ 
tions  explicit.  These  can  be  justified  from  the  underlying  semantics  of  the  model,  or 
by  properties  of  the  data  structures  used.  In  the  case  of  sequential  consistency,  the 
independence  is  further  restricted  by  the  problem  specification,  namely  that  there 
is  a  total  ordering  among  local  processor  write1  s  and  read’s.  These  properties  can 
often  be  shown  once  for  a  large  collection  of  related  problems.  The  most  important 
independence  relations,  that  allow  exploiting  the  essential  nature  of  distributed  sys¬ 
tems,  state  that  local  operations  of  different  processors  are  independent.  That  is, 
local  operations  a*  and  bj  of  different  processors  are  independent: 

*7*  3  =>  I{ai,bj)  (8) 

The  independence  relations  define  what  exchanges  of  operations  can  be  made, 
and  thus  which  computations  are  equivalent.  This  needs  to  be  introduced  into  the 
logic  explicitly,  through  the  formula 

AG(  /(a, 6)  =>  ({E«a;tr)<*(Eub-,ar))) 
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In  words,  if  I (a,  b )  holds  in  a  state,  then  for  every  interleaving  set  there  is  a  sequence 
that  begins  in  that  state  and  then  has  “a;  b ”  iff  there  is  one  with  “6;  a”  at  that  point. 

The  convenient  executions,  also  described  by  a  temporal  logic  formula,  need  to 
be  shown  to  correctly  implement  the  general  computations  from  the  next  higher 
level,  using  the  following  definition: 

Definition  6  A  collection  of  execution  sequences  S  implements  a  collection  T  if 
there  is  a  mapping  function  between  the  states  of  S  and  those  of  T  such  that  for 
each  sequence  in  S  the  mapping  yields  a  sequence  in  T,  and  each  sequence  in  T  has 
at  least  one  sequence  in  S  that  maps  into  it. 

Note  that  it  is  not  sufficient  to  show  that  the  mapping  of  the  lower  level  com¬ 
putations  are  a  subset  of  the  higher  level  ones.  As  is  pointed  out  in  the  refinement 
calculus  of  Z  [MV94]  and  elsewhere  [BS90],  there  must  be  a  lower  level  computation 
that  implements  each  higher  level  one,  i.e.,  we  are  not  allowed  to  “refuse”  to  im¬ 
plement  a  legal  higher  level  sequence  of  read's  and  write' s.  Although  the  mapping 
appears  to  be  unrestricted  in  the  definition,  the  result  must  satisfy  the  higher  level 
temporal  assertion  that  defines  the  collection  of  abstract  computations,  and  thus 
only  intuitively  reasonable  mappings  will  prove  acceptable. 

Now  the  correctness  requirements  for  a  refinement  may  be  summarized: 

Definition  7  For  general  computations  Gen{  and  a  lower  level  defined  by  general 
computations  Gen*+i  and  additional  properties  that  define  a  convenient  computa¬ 
tion  Coni+i,  under  the  equivalence  defined  by  I,  the  lower  level  is  a  correct  refine¬ 
ment  for  sequential  consistency  if 

•  The  relation  I  in  Gen,*+i  is  s.c .  independent. 

•  (Gen,+i  A  A  Coni+\)  implements  Gen{ 

•  If  Geni  is  sequentially  consistent,  so  is  Gen,+i  A  A  Con,+i, 

•  Geni+i  =>  E  Coni+i 

The  independence  relations  will  be  constructed  with  s.c.  independence  built 
in  (because  local  operations  will  not  be  independent),  and  so  this  aspect  will  gen¬ 
erally  be  trivially  satisfied.  The  correctness  of  the  implementation  for  convenient 
sequences  requires  defining  the  mapping  function,  and  then  showing  by  induction 
on  any  lower  level  convenient  execution  sequence  that  it  maps  to  a  higher  level 
execution  sequence,  if  the  mapping  is  applied  to  each  state.  As  noted,  we  also  need 
to  show  that  each  higher  level  computation  has  a  lower-level  convenient  one  that 
maps  into  it.  Because  the  correspondence  between  the  levels  seen  here  involves  a 
simple  substitution,  both  directions  can  be  shown  at  once. 

The  proof  of  the  third  requirement,  that  the  lower  level  convenient  computations 
are  sequentially  consistent  if  the  higher  level  general  ones  are,  is  also  structural 
in  nature,  and  is  shown  by  a  simple  induction.  Since  the  lower  level  convenient 
executions  are  obtained  by  substituting  a  sequence  of  operations  in  place  of  one,  it 
is  enough  to  show  that  in  the  sequence,  local  read  and  write  operations  are  done 
in  the  same  order  and  from  the  same  local  state  as  before  the  substitution.  Since 
the  upper  level  computation  is  given  as  sequentially  consistent,  the  lower  level  one 
is  also. 
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The  remaining  requirement,  that  every  lower  level  computation  is  equivalent  to 
some  convenient  one,  can  be  shown  in  several  ways.  One  promising  approach  applies 
model  checking  techniques  to  this  problem,  especially  techniques  modifying  known 
approaches  that  exploit  partial  order.  Here  we  will  not  pursue  that  direction,  and 
instead  present  semantic  proofs  of  equivalence  based  on  a  well-founded  function. 
That  is,  for  each  sequence  a  measure  into  a  well-founded  set  is  shown.  The  base 
values  of  the  measure  are  shown  to  be  the  result  of  applying  the  measure  function 
to  the  convenient  execution  sequences,  and  every  other  sequence  is  shown  to  be 
equivalent  to  one  with  a  smaller  measure. 

Theorem  1  Given  a  temporal  predicate  P  describing  a  collection  of  execution  se¬ 
quences  and  independence  conditions  that  define  a  relation  =/,  and  another  tem¬ 
poral  predicate  Q  describing  an  additional  restriction,  then  P  =>  E  Q  if  there  is  a 
well-founded  set  with  an  ordering  relation  (W,  >),  and  a  function  f  from  sequences 
such  that 

•  P(<t)  =>  f{a)  E  W 

•  (P(a)  =$►  ( Q(c r)  f(cr)  is  a  minimal  element  ofW) 

•  (PA  ->Q)(<r)  =>  3  r  .  P(r)  A  /(cr)  >  /(r)  A  cr  =/  r 

The  proof  of  the  soundness  of  the  proof  rule  seen  in  the  above  theorem  is  identical  to 
soundness  proofs  of  termination  of  programs  using  well-founded  sets.  Each  minimal 
element  is  the  result  of  a  mapping  from  a  sequence  satisfying  Q  (that  will  correspond 
to  a  convenient  sequence).  Since  the  domain  of  the  measures  is  well-founded,  by 
the  definition  of  well-foundedness,  each  decreasing  chain  of  values  is  finite.  Each 
nonconvenient  sequence  is  shown  equivalent  under  I  to  one  with  a  smaller  function 
value,  and  so  both  map  to  values  that  are  part  of  a  decreasing  chain.  Since  these 
chains  are  finite,  each  sequence  is  equivalent  to  one  of  minimal  measure,  i.e.,  to  a 
convenient  sequence. 

The  definition  of  the  measure  is,  of  course,  non-automatic.  However,  for  the 
example  here  a  standard  measure  can  be  used  involving  the  number  of  operations 
that  are  interspersed  among  the  sequential  subsequences  that  correspond  to  the  im¬ 
plementations  of  upper  level  operations  seen  in  the  convenient  execution  sequences. 
This  will  be  illustrated  in  the  proof  presented  later.  A  drop  in  the  value  of  the  map¬ 
ping  for  two  equivalent  computations  can  be  shown  by  using  the  information  on 
which  operations  are  independent  of  which  other  ones.  This  checking  of  equivalence 
can  be  automated,  and  a  project  is  presently  underway  to  implement  this. 

Theorem  2  If  a  series  of  refinements  Geno,  Gen\,  ...,  Genn  (with  convenient 
executions  Coni,  ...,Conn)  are  shown  to  be  correct  refinements  for  sequential  con¬ 
sistency,  then  the  computations  defined  by  Genn  are  sequentially  consistent. 

Proof:  By  induction  on  the  levels.  Geno  is  sequentially  consistent  by  definition.  For 
each  pair  of  levels,  the  lower  convenient  executions  are  a  correct  implementation 
of  the  upper  level  operations,  as  seen  through  the  mapping  function  (the  second 
condition  for  correctness  in  Definition  7).  In  addition,  if  the  upper  level  is  sequen¬ 
tially  consistent,  then  the  convenient  executions  at  the  next  lower  level  are  also 
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(the  third  condition).  Since  the  independence  relation  is  s.c.  independent  (the  first 
condition),  and  every  equivalence  class  contains  one  of  the  convenient  execution  se¬ 
quences  (the  fourth  condition),  it  follows,  using  Lemma  3,  that  every  computation 
at  this  level  is  equivalent  to  a  correct  implementation  and  is  sequentially  consistent, 
as  required.  □ 

5  Introducing  Out  queues 

We  consider  how  to  refine  abstract  read  and  write  actions.  An  abstract  write  action 
can  be  implemented  by  adding  to  the  end  of  a  queue  the  pair  consisting  of  the  value 
to  be  written  and  the  memory  address,  later  removing  that  pair  from  the  head  of 
the  queue,  and  then  writing  it  in  the  memory.  If  we  denote  the  action  of  putting 
the  value-address  pair  in  the  queue  by  W(d ,  t>),  and  the  action  of  removing  the  pair 
from  the  head  of  the  queue  and  writing  to  the  memory  by  MW(d,  v)  (standing  for 
Memory  Write),  such  a  pair  is  the  implementation  of  the  abstract  write .  Thus  W  is 
associated  with  a  put  operation,  and  MW  combines  a  get  with  writing  to  memory. 

Similarly,  an  abstract  read  could  be  implemented  by  reading  from  the  memory, 
adding  the  value-location  pair  to  another  queue,  and  later  reading  the  value-address 
pair  from  the  head  of  that  queue  into  the  local  processor.  However,  this  is  not  done 
here,  and  we  assume  a  direct  atomic  action  denoted  R(d,  v),  meaning  that  value  d 
is  read  from  address  (or  variable)  v. 

If  we  now  replace  the  abstract  read  and  write  actions  of  the  serial  memory  by 
the  lower  level  actions  above,  we  arrive  at  a  situation  that  can  be  viewed  as  the 
addition  of  abstract  write  queues  to  the  serial  memory.  Since  we  have  a  collection 
of  such  queues,  the  “lower”  level  involves  operations  on  an  Outi  queue  between 
the  processor  i  and  the  central  memory,  for  each  processor.  Since  there  now  is  a 
queue  for  each  processor,  we  denote  writing  to  the  end  of  the  ith  queue  by  Wi, 
and  removing  an  element  from  the  head  of  that  queue  plus  writing  to  the  memory 
by  MW{.  Reading  by  processor  i  is  denoted  by  Ri.  All  of  these  have  the  same 
parameters  as  previously,  namely  the  value  and  the  address  (or  variable  name). 
The  events  that  are  considered  local  to  a  processor  i  are  not  independent,  and 
these  include  all  occurrences  of  Wt-  and  Ri}  but  not  MWi.  On  this  level,  only  the 
MWi  and  Ri  operations  directly  involve  the  memory  and  are  required  to  satisfy 
read/ write  consistency.  Thus  we  have: 

For  all  processors  i,  j ,  and  Ar, 

AG{{MWi(d,  v)  A  A(VjV6(-,MWj(6,  v))URk{c,  v)))  =>  c  =  d)  (10) 

Now  we  shall  define  a  collection  of  convenient  executions  that  are  guaranteed  to 
satisfy  the  requirements  from  Mseriai  (i.e.,  from  the  abstract  computations  defined 
by  Geno).  In  the  convenient  executions,  items  are  inserted  by  the  processor  i  using 

operations  into  the  corresponding  Outi  queue  and  immediately  removed  and 
copied  to  the  central  memory  by  the  MWi  action.  In  these  very  particular  compu¬ 
tations,  every  Wi  is  immediately  followed  by  writing  into  the  memory  using  MWi, 
with  no  intervening  operations  anywhere  in  the  system.  The  queues  are  thus  always 
empty  except  when  a  single  item  has  just  been  put  in  and  has  not  yet  been  written 
to  the  memory  in  the  next  step.  In  temporal  logic  we  can  state  the  requirement  for 
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a  convenient  computation  (beyond  those  for  any  general  computation)  as  simply 

G(Wi{c,x)&XMWi{c,x))  (11) 

That  is,  throughout  the  computation,  if  a  W\  has  occurred,  it  is  immediately  fol¬ 
lowed  by  the  corresponding  MWi ,  and  every  MWi  is  preceded  by  a  Wi  with  the 
same  parameters.  Note  that  only  the  W{  and  Ri  operations  are  local  to  processor  i. 
The  MWi  operations  involve  only  the  head  of  the  z-th  queue  and  the  main  memory, 
and  are  considered  nonlocal  to  processor  z.  Every  adjacent  Wi;  MWi  pair  is  clearly 
a  trivial  implementation  of  the  direct  write  on  the  abstract  level.  In  order  to  prove 
this  precisely,  we  have  the  lemma: 

Lemma  4  For  each  computation  with  atomic  read  and  write  operations,  there  is 
a  computation  where  each  write  is  replaced  by  a  Wi ;  M  Wi  pair ,  and  those  are  a 
correct  implementation  of  the  abstract  computations . 

Proof:  By  induction  on  the  two  sequences,  using  the  identity  function  from  the 
lower  level  central  memory  to  the  higher  level  one,  and  ignoring  the  contents  of 
the  queues.  The  initial  states  are  the  same.  Assuming  the  sequences  correspond 
up  to  a  state  where  a  write  occurs  in  the  abstract  sequence,  then  the  next  lower 
state  (after  the  Wi)  still  is  mapped  to  the  present  upper  one.  The  state  after  the 
MWi  is  mapped  (and  is  identical)  to  the  next  abstract  state.  The  read  commands 
correspond  identically.  Thus  the  concrete  sequence  implements  the  abstract  one. 
□ 

Lemma  5  The  convenient  sequences  defined  by  memory  consistency  and  the  for¬ 
mula 

AG{Wi(c ,  x)  XMWi(c ,  x)) 

are  sequentially  consistent. 

Proof:  The  upper  level  executions  have  atomic  read’s  and  write's  that  are  by  def¬ 
inition  sequentially  consistent.  There  is  a  one-to-one  correspondence  between  the 
atomic  write's  and  the  Wi  s,  in  the  same  order,  and  the  lower  level  Ri  operations 
are  still  atomic.  The  Ri  operations  have  unchanged  values  relative  to  the  upper 
level,  because  the  needed  MWi  occurs  immediately  after  the  Wi.  Thus  the  lower 
level  executions  are  also  sequentially  consistent.  □ 

Then  we  need  to  claim  that  every  execution  of  the  lower  level  satisfying  the 
queue  axioms  and  the  memory  consistency  assumptions  is  equivalent  under  the  s.c. 
independence  relation  I  to  one  of  the  convenient  executions  defined  above.  This  is 
almost  true,  but  we  need  to  restrict  the  Ri  operations  of  the  lower  level  to  maintain 
the  total  order  among  local  actions  of  a  single  processor.  Consider  a  situation  where 
a  processor  has  written  a  pair  (d,  x)  to  its  Out  queue,  then  reads  the  value  of  x 
(implemented  as  an  R  ),  and  only  then  is  a  MW  executed  on  that  queue,  changing 
the  memory.  The  value  read  is  clearly  whatever  was  in  the  memory  before  the  last 
MW.  This  implies  that  there  is  a  linearization  consisting  of 

Wi{d,x);Ri(c,x);MWi{d,z) 

with  d^  c.  But  such  a  computation  is  not  consistent  with  the  dependency  require¬ 
ments,  because  we  claim  that  it  is  not  equivalent  to  any  convenient  computation. 
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If  we  wish  to  find  a  convenient  execution  to  which  this  one  is  equivalent,  we  must 
show  that  the  R  operation  can  be  exchanged,  either  with  the  following  MW  or  the 
preceding  W .  The  former  exchange  would  lead  to 

Wi{d,x);MWi(d,x);Ri(c,x) 

This  is  not  a  convenient  execution,  since  it  violates  the  restrictions  on  the  value 
read  being  the  last  one  written  in  the  memory  location  (read/write  consistency). 
Exchanging  the  Ri  and  Wi  operations  would  lead  to 

Ri{c,  x);  Wi(d,  x);MWi(d}  x) 

This  is  a  convenient  sequence,  but  is  not  equivalent  to  the  original  one,  because  it 
does  not  have  the  same  total  order  of  the  local  operations  in  processor  i. 

This  difficulty  is  inherent  to  any  implementation  that  must  maintain  sequen¬ 
tial  consistency  (although  explained  here  in  terms  of  equivalent  sequences)  and  is 
solved,  for  example,  in  [ABM93]  by  simply  requiring  that  the  lower  level  opera¬ 
tions  be  restricted:  any  Ri,  is  ‘delayed’  until  the  Out{  queue  is  empty,  i.e.,  until 
all  of  the  ‘pending’  MWi  operations  have  been  done.  In  that  case  the  problematic 
computation  described  above  is  simply  declared  impossible.  Of  course,  there  is  no 
such  restriction  for  reading  and  writing  from  different  processors  (when  the  sub¬ 
scripts  are  different).  The  restriction  on  the  implementation  is  again  a  temporal 
logic  formula  and  can  be  expressed  in  several  ways.  One  approach  treats  the  ac¬ 
tions  directly,  using  a  #  symbol  to  denote  the  number  of  times  an  operation  has 
occurred: 

AG(Ri  =>  (  =  #MWi)) 

That  is,  no  Ri  is  between  a  Wi  and  an  MWi,  because  every  Wi  before  Ri  has  a 
corresponding  MWi  that  also  appears  in  the  execution  sequence  before  Ri.  Another 
way  to  express  this  is  to  define  a  predicate  empty  that  is  true  when  the  queue  is 
empty  and  simply  state  that 


AG(Ri  =>  empty(Outi))>  (12) 

Such  a  predicate  is  expressed  using  temporal  formulas  derived  from  well-known  alge¬ 
braic  axioms.  A  predicate  number  is  defined  recursively  in  terms  of  each  operation 
(incrementing  when  an  item  is  inserted  and  decrementing  when  one  is  removed) 
and  empty  can  be  seen  as  a  derived  predicate  true  when  number  =  0.  We  shall 
assume  that  expressions  defining  such  predicates  have  been  defined,  and  use  the 
second  alternative. 

Now  we  need  to  express  the  properties  of  a  queue  within  our  formalism.  The 
independence  relations  for  queues  (1-4)  will  have  Wi  corresponding  to  put  and 
MWi  to  get  for  each  queue  Outi.  A  temporal  logic  queue  axiom  will  be  added  to 
fix  the  value  at  the  head  of  the  queue  when  a  single  item  is  inserted  into  an  empty 
queue: 

[empty{Outi)  f\“Wi(c,xy,MWi(d,yY)  =>  c  =  dAx-y  (13) 

Along  with  the  independence  of  W{  and  MWi  when  the  queue  is  nonempty,  assertion 
(13)  corresponds  to  the  usual  recursive  algebraic  axiom  that  a  get  is  independent 
of  a  put  when  the  queue  is  initially  nonempty,  and  otherwise  the  value  returned  by 
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the  get  is  the  one  just  inserted  by  the  put  operation.  Using  this  axiom  along  with 
the  other  independence  axioms  about  queues,  we  can  deduce  the  expected  behavior 
of  a  queue.  For  example,  starting  from  an  empty  queue,  if  the  sequence  of  actions 

WifaxyMb^MWifaz) 

is  done,  then  the  pair  (c,  z)  must  be  exactly  (a,  x)  (because  the  last  two  operations 
are  independent  by  the  adaptation  of  assertion  (1),  and  in  the  resultant  equivalent 
execution  sequence  the  assertion  (13)  can  be  used). 

In  addition  to  the  axioms  given  above,  a  progress  property  [MP92]  on  queues 
is  needed.  It  is  essential  that  every  element  put  in  the  queue  will  eventually  be 
removed  (with  the  other  axioms  fixing  the  order).  Otherwise,  a  scheduler  in  which 
elements  accumulate  forever  in  one  of  the  queues  could  lead  to  an  incorrect  imple¬ 
mentation.  This  property  will  be  expressed  as 

AG{Wi{c,x)  =>  AF  MWi(c,x))  (14) 

Note  that  this  assertion  by  itself  could  be  satisfied  by  a  computation  where  two 
Wi(c,  x)  are  followed  by  only  one  MWi(c,  x).  By  the  assertions  that  define  the 
queue,  however,  such  a  computation  is  equivalent  to  one  where  the  second  W{(c,  x) 
is  exchanged  with  the  MWi(c,  x)  (because  the  queue  is  nonempty  at  that  point). 
In  that  equivalent  computation  there  must  be  a  second  MWi(c,x)  by  the  above 
assertion.  Since  all  equivalent  computations  have  the  same  collection  of  events,  it 
follows  that  the  original  computation  also  had  a  second  MWi(c,  x),  i.e.,  every  put 
is  followed  by  a  matching  get . 

The  properties  of  the  general  lower  level  computations  can  be  obtained  by  sum¬ 
marizing  the  discussion  so  far  in  temporal  logic,  with  the  assertions  seen  in  Figure 
1.  The  queue  axioms  above  are  of  course  essential.  We  also  have  the  independence 
and  dependence  relations  on  all  local  actions  in  each  processor  (7-8).  To  these  we 
add  the  read/ write  consistency  rules  for  simple  memory  locations  (10),  the  delay 
condition  on  reads  (12),  and  the  formula  connecting  I  and  equivalence  (9).  Geni 
is  the  assertion  beginning  AG  over  the  conjunction  of  the  assertions  in  Figure  1, 
defining  the  legal  computations  in  the  first  level  of  refinement  that  adds  Out  queues. 
Note  that  some  independence  relations  are  not  given  explicitly  in  Geni,  but  can 
be  derived  from  the  relations  among  the  operations  that  are  given.  For  example, 
read/ write  consistency  on  this  level  implies  that  in  some  states  MW{  and  Rj  are 
not  independent  since  their  order  affects  the  value  read. 

The  higher  level,  Geno,  is  defined  by  the  assertion  (6).  The  added  restriction 
on  the  computations  satisfying  Geni  that  defines  the  convenient  computations, 
i.e.,  Coni,  is  the  assertion  (11).  Considering  the  proof  obligations,  it  is  clear  that 
I  is  s.c.  independent,  by  definition.  Lemma  4  is  a  proof  that  Geni  A  ACon\ 
implements  Geno  while  Lemma  5  shows  that  if  Geno  is  sequentially  consistent,  so 
is  Geni  A  ACon\. 

It  remains  to  show  that  an  execution  sequence  satisfying  these  dependencies 
must  be  equivalent  (under  the  relations  I)  to  one  where  all  W  —  MW  pairs  from 
the  same  queue  are  adjacent  (11),  i.e.,  to  one  of  the  convenient  sequences.  In  terms 
of  I  STL* ,  the  temporal  logic  formula  Geni  must  imply  ECon\.  Below  the  lemma 
is  proven  by  applying  the  well  founded  set  technique  seen  in  Theorem  1. 

Lemma  6  Geni  =>>  E  Coni . 
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queues,  for  processor  i: 


h empty{Outi ))  =>  I(WitMWi) 

empty(Outi)  =>  ~'I(Wi,MWi) 

(empty(Outi)  A  “Wi(c,  x);  MWi(d,  y)”)  =>  c  =  dAx  =  y 
->I(MWi,  MW{) 

Wi{c)x)=>AF  MWi(c,  x) 

locality,  for  a,  b  operations  W  or  R  in  processors  i,  j: 

*7 £  3  ^  ^(aij  bj) 

read/write  memory  consistency,  for  all  processors  i,  j,  and  k: 

AG(  (MWi{d,v)  A  X{VjVb{-^MWj{b,v))URk{c,v)))  =>  c  =  d  ) 
delay  of  reads,  for  processor  i: 

AG(Ri  =>  empty(Outi)). 
independence  and  equivalence,  for  operations  a  and  b: 

AG(  I(a,  b)  =>  {(E“a;b”)&(E“b;a”))) 


Figure  1:  Conjuncts  in  the  formula  Geni  describing  lower  level  computations 


Proof:  The  formula  Gen\  is  AG  (universal  quantification  over  the  states)  of  the 
conjunction  of  the  formulas  in  Figure  1.  Assuming  this  formula,  we  must  show 

EG{Wi(c,x)oXMWi(c,  x)). 

As  noted  previously,  the  queue  axioms  in  Gen\  imply  that  each  Wi  (d,  x)  is  even¬ 
tually  followed  by  a  matching  MWi(d,  x).  Each  matching  Wi(d,  x)  —  MWi(d,x) 
pair  defines  an  interval :  the  subsequence  of  states  between  the  pair.  The  distance 
of  the  interval  is  the  number  of  states  in  it.  An  adjacent  pair  has  an  empty  interval 
and  a  distance  of  zero.  The  measure  of  a  finite  computation  sequence  is  the  sum 
of  the  distances  of  all  intervals  in  it.  For  all  convenient  sequences,  the  measure  is 
zero,  and  every  sequence  with  a  measure  of  zero  is  a  convenient  one. 

The  measure  thus  is  the  function  needed  to  apply  Theorem  1,  and  it  remains 
to  show  that  each  sequence  with  a  nonzero  measure  is  equivalent  to  one  with  a 
smaller  measure.  Consider  any  nonconvenient  sequence  cr  (which  thus  has  a  non¬ 
zero  measure),  and  a  matching  pair  in  it  (denoted  W{(d,  x) - MW{(d,  x))  with 

the  smallest  positive  distance.  Call  the  interval  of  that  matching  pair  the  interval 
of  interest .  We  will  show  that  the  sequence  a  is  equivalent  to  one  with  a  smaller 
measure  by  showing  that  there  is  a  one-to-one  correspondence  among  intervals  in 
the  two  sequences  where  all  other  intervals  have  a  distance  no  larger  than  the 
corresponding  one  in  cr,  and  the  interval  in  the  new  sequence  corresponding  to  the 
interval  of  interest  is  strictly  smaller. 

In  practice,  either  an  operation  at  the  beginning  of  the  interval  of  interest  can 
be  moved  to  before  the  preceding  Wi  (<f,  x)  without  affecting  other  intervals,  or  one 
can  be  moved  from  the  end  of  the  interval  past  the  following  MW{(d,  a?).  If  the  first 
state  in  the  interval  of  interest  satisfies  MWj(c,  y)  for  any  j ,  c,  and  y  (including 
j  =  i),  the  independence  relations  show  that  there  is  an  equivalent  computation 
with  the  MWj  before  the  Wi(d,  x)  ( j  =  i  is  included  because  the  queue  is  nonempty 
at  that  point).  The  same  is  true  of  any  Rj  where  j  ^  i  (and  Ri  cannot  appear 
by  equation  12).  In  each  of  these  cases,  the  measure  of  the  equivalent  sequence  is 
smaller  because  all  other  intervals  are  unaffected  or  are  made  smaller. 

If  in  the  first  state  of  the  interval  of  interest  there  is  a  Wj{c,  y)  followed  im¬ 
mediately  by  a  matching  MWj{c,y)  (thus  defining  an  empty  interval)  there  is  an 
equivalent  computation  with  that  pair  before  the  VFi(d,  x)  and  thus  with  a  smaller 
measure.  The  equivalence  must  be  shown  in  two  stages:  after  the  first  exchange  the 
empty  interval  corresponds  to  one  with  a  distance  of  one,  but  after  the  second,  it 
returns  to  zero.  Note  that  in  this  case  j  must  be  different  from  i  since  otherwise  the 
queue  axioms  for  Outi  would  be  violated:  two  items  are  inserted  into  the  queue  in 
one  order  and  then  removed  in  the  opposite  order,  which  contradicts  the  definition 
of  a  queue. 

The  only  other  possibility  at  the  beginning  of  the  interval  of  interest  is  of  a 
Wj(c,v)  not  followed  by  a  corresponding  MWj  until  after  the  interval  of  interest 
(otherwise  the  interval  of  interest  would  not  define  the  smallest  positive  distance). 
In  this  case  we  must  consider  how  to  move  an  operation  past  the  end  of  the  interval 
of  interest.  The  last  such  Wj  before  the  MWi(c,x)  at  the  end  of  the  interval  of 
interest  also  cannot  have  its  corresponding  MWj  within  the  interval  of  interest, 
since  otherwise  the  queue  axioms  for  the  Outj  queue  would  be  violated.  There  also 
cannot  be  a  Rj  in  the  interval.  Thus  the  independence  relations  on  the  remaining 
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Wj 

d 

Ri 

w, 

+ 

+ 

+ 

- 

(1) 

- 

MWi 

+ 

(2) 

(2) 

(1) 

(2) 

ISl 

Ri 

+ 

(2) 

+ 

- 

(2) 

mag 

(1)  ‘+’  if  ->empty(Outi ),  if  empty(Outi) 

(2)  but  could  extend  to  c+’  for  different  variables. 

Table  1:  Summary  of  independence  relations  for  Gen\. 


operations  guarantee  that  there  is  an  equivalent  computation  like  the  one  being 
considered  except  with  that  last  Wj  exchanged  with  all  possible  operations  between 
it  and  the  end  of  interval  of  interest  and  finally  with  the  MWi  ( d ,  x)  after  the  interval 
of  interest.  This  again  yields  a  computation  with  a  smaller  measure.  □ 

The  proof  here  systematically  analyzes  which  pairs  of  operations  are  indepen¬ 
dent  under  what  conditions,  to  show  that  any  computation  is  equivalent  to  a  conve¬ 
nient  one.  We  show  exchanges  that  bring  a  general  computation  ‘closer’  according 
to  some  measure  to  a  convenient  one. 

An  aid  to  following  (and  generating)  the  argument  above  can  be  given  in  table 
form.  In  Table  1  the  independence  relations  are  given  for  a  matching  pair  W{  and 
MW{1  and  for  R{ ,  relative  to  all  of  the  other  operations,  both  for  other  processors 
j  /  i  and  within  i,  assuming  that  they  relate  to  the  same  variable.  The  relations 
explained  previously  are  the  justifications  for  the  symbols,  where  “+”  means  that 
the  operations  are  independent,  while  means  that  they  are  not.  Note  that  a 
conservative  approach  is  taken  where  sometimes  operations  are  considered  depen¬ 
dent  even  if  in  some  cases  (e.g.,  reading  and  writing  to  different  variables  in  the 
memory)  they  may  be  independent.  This  only  means  that  some  execution  sequences 
cannot  be  proven  equivalent  even  though  otherwise  they  could  be,  and  thus  each 
must  be  shown  equivalent  to  a  different  representative  execution. 

Note  that  Ri  is  not  independent  of  either  W{  (because  they  both  are  local 
to  i)  nor  to  MWi  (because  they  both  relate  to  the  central  memory  and  must 
maintain  memory  consistency).  This  again  reinforces  the  implementation  decision 
to  forbid  such  a  read  operation  between  writing  to  the  local  output  queue  and 
writing  from  the  head  of  the  queue  to  the  central  memory.  The  need  to  ‘shorten’ 
the  distances  in  intervals  of  interest,  along  with  the  independence  relations,  dictates 
which  equivalent  sequences  must  be  investigated,  and  can  be  used  for  automatic 
generation  of  the  cases  to  be  treated. 

Theorem  3  Gen\  is  sequentially  consistent. 

Proof:  By  Theorem  2,  using  Lemmas  4-6  and  the  fact  that  I  is  s.c.  independent. 

□ 

Further  top-down  development  of  a  caching  algorithm  could  similarly  be  divided 
into  a  series  of  refinements,  with  each  described  first  by  a  convenient  sequence, 
followed  by  a  loosening  stage  to  the  rest  of  the  computations  at  that  level.  Note 
that  the  convenient  executions  are  lower  level  implementations  of  any  computation 
from  the  upper  level,  and  not  just  the  convenient  upper  level  ones.  In  such  a  series 
of  refinements  we  might  first  define  a  level  where  In  queues  and  local  caches  are 
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used,  and  then  afterwards  consider  the  introduction  of  cache  misses  in  a  separate 
refinement  level. 


6  Concluding  remarks 

In  this  paper  we  proved  the  correctness  of  a  refinement  introducing  queues,  starting 
from  the  definition  of  serial  and  sequentially  consistent  memory.  Reasoning  in 
terms  of  convenient  sequences  and  their  equivalence  classes  is  well-suited  for  this 
purpose.  At  each  refinement,  a  two-stage  proof  is  used,  first  showing  that  the 
convenient  sequences  are  a  simple  refinement  using  usual  mapping  functions,  and 
then  separately  showing  every  lower  level  execution  sequence  equivalent  to  one  of 
the  convenient  ones,  using  well-founded  sets. 

Although  the  formulas  of  temporal  logic  require  familiarization,  this  should  not 
obscure  the  fact  that  the  convenient  execution  sequences  are  intuitively  natural 
and  are  easily  devised.  Moreover,  in  those  sequences  the  lower  level  state  is  only 
examined  when  the  system  is  in  a  stable  (quiescent)  state,  so  the  mapping  functions 
are  also  simple. 

The  independence  relations  and  restrictions  on  possible  implementations  are 
also  intuitively  clear  to  the  designer,  once  the  appropriate  questions  are  asked. 

In  order  to  prove  a  refinement  stage,  the  possible  computations  of  the  upper 
level  must  be  described  by  an  ISTL*  formula.  The  lower  level  computations  also 
will  have  a  formula  defining  them,  including  conjuncts  that  make  the  independence 
of  adjacent  operations  explicit.  These  can  be  justified  from  the  underlying  seman¬ 
tics  of  the  model,  or  by  properties  of  the  data  structures  used.  In  the  case  of 
sequential  consistency,  the  independence  is  further  restricted  by  the  problem  spec¬ 
ification,  namely  that  there  is  a  total  ordering  among  local  processor  writes  and 
reads.  These  properties  can  often  be  shown  once  for  a  large  collection  of  related 
problems.  The  lower  level  legal  computations  also  are  derived  from  a  description 
of  the  implementation  (either  lower  level  code  or  a  less  formal  description).  In  the 
example  given  here,  these  include  restrictions  on  when  a  read  action  is  possible. 
Next,  the  convenient  computations  of  the  lower  level  are  described,  also  using  the 
temporal  logic. 

At  each  refinement  stage,  four  correctness  claims  must  be  shown:  that  the 
independence  relation  is  appropriate  for  sequential  consistency,  that  the  lower  level 
convenient  executions  implement  the  general  computations  of  the  upper  level,  that 
the  lower  level  convenient  executions  are  sequentially  consistent  if  the  upper  level 
executions  were,  and  that  every  computation  on  the  lower  level  is  equivalent  to  a 
convenient  one. 

The  proof  that  every  equivalence  class  has  a  convenient  execution  in  it  is  done 
using  a  mapping  into  a  well-founded  set.  In  effect,  this  is  an  induction  showing  that 
each  computation  is  equivalent  to  one  that  is  ‘closer’  to  a  convenient  one.  This  is 
the  more  difficult  part  of  the  proof,  mainly  because  there  are  a  large  number  of  cases 
to  consider  ( 0(n 2)  if  there  are  n  kinds  of  operations).  A  systematic  examination 
of  which  operations  can  be  exchanged  is  done  using  the  independence  information. 
This  aspect  seems  particularly  amenable  to  automation,  since  it  involves  a  large 
number  of  very  simple  assertions.  Specific  tools  for  integrating  such  proofs  into 
automatic  theorem  proving  systems  or  to  model  checking  techniques  for  finite  state 
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programs  are  not  yet  available,  but  work  has  begun  in  this  direction.  Such  a  tool 
could  be  expected  to  query  the  user  on  whether  certain  pairs  of  operations  are 
independent  in  various  states,  helping  to  cover  all  of  the  possibilities.  Since  the 
answers  on  which  pairs  are  independent  are  generally  clear  to  the  designer,  the  goal 
of  such  a  tool  is  to  ensure  that  all  cases  are  examined. 
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Abstract 

A  complete  axiomatization  of  a  first-order  temporal  logic  over  trace  systems 
is  introduced.  The  proof  system  contains  infinitary  rules  for  temporal  operators.  In 
order  to  show  how  these  rules  work,  a  toy  concurrent  program  is  considered,  for 
which  a  temporal  semantics  is  provided,  and  the  correctness  of  the  program  is  for¬ 
mally  proved  within  our  logic. 

1  Introduction 

Temporal  logic  is  an  important  tool  for  program  verification.  Depending  on  the  no¬ 
tion  of  model,  three  kinds  of  temporal  logic  can  be  distinguished:  temporal  logic  of 
linear  time  (LTL)  [15, 10],  temporal  logic  of  branching  time  (BTL)  [7],  and  partial 
order  temporal  logic  [21]. 

Mazurkiewicz  traces  and  trace  systems  [13]  are  partial  order  structures  fre¬ 
quently  used  to  give  semantics  to  concurrent  programs  and  interpreting  proposi¬ 
tional  temporal  logics  ([12,  6],  ISTL  [11],  TrPTL  [26],  TSL  [22],  TLC  [1]).  The 
first-order  versions  of  temporal  logics  are  intended  for  specifying  and  proving  prop¬ 
erties  of  infinite-state  concurrent  programs  [23].  The  process  of  program  verifica¬ 
tion  requires  either  a  relatively  complete  program  proof  rules  or  a  complete  proof 
system  of  the  pure  logic  usually  extended  by  the  temporal  semantics  axioms  of  a 
given  program. 

Program  proof  rules  were  defined  for  first-order  versions  of  the  following  log¬ 
ics:  LTL  [14],  fair  CTL  [9],  and  ISTL  [23].  However,  a  complete  proof  system  is 
known  only  for  the  first-order  LTL  [25, 16],  propositional  versions  of  CTL  [8],  TSL, 

'Partially  supported  by  The  State  Committee  for  Scientific  Research  under  two  grants 
No.  8  T1 1C  029  08  and  No.  2  P301  007  04. 
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and  ISTL  (22J.  The  logics  TSL  and  TrPTL  have  not  yet  been  extended  to  their  first 
order  versions. 

In  the  present  paper  we  partialy  fill  this  “gap”.  We  define  a  first-order  ver¬ 
sion  of  the  logic  TSL  (FTSL,  for  short),  interpreted  over  Mazurkiewicz  trace  sys¬ 
tems.  The  modalities  allow  universal  and  existential  quantification  over  forward 
and  backward  paths  of  the  models.  This  makes  most  of  the  branching  and  partial 
order  properties  expressible  in  our  temporal  language.  The  first-order  language  is 
two-sorted;  it  has  static  and  dynamic  variables  and  terms.  Dynamic  variables  cor¬ 
respond  to  variables  declared  in  the  programs.  They  can  change  their  values  during 
a  program  execution.  The  values  of  the  static  variables  do  not  depend  on  the  time 
points.  Quantification  is  allowed  only  over  the  static  variables. 

We  provide  a  proof  system  of  the  logic  and  prove  its  completeness  by  the  Ra- 
siowa-Sikorski  method  [24].  The  proof  system  contains  infinitary  rules  for  tempo¬ 
ral  operators.  In  order  to  show  how  these  rules  work,  we  consider  a  toy  concurrent 
program  for  which  the  corresponding  models  are  exhibited,  the  temporal  semantics 
axioms  are  defined  and  the  correctness  of  the  program  is  formally  proved  within  our 
logic. 

The  rest  of  the  paper  is  organized  as  follows.  In  Section  2  the  trace  transition 
systems  are  defined.  In  Section  3  we  introduce  the  syntax  and  semantics  of  the  First- 
order  Trace  System  Logic.  Its  proof  system  is  given  in  Section  4.  The  completeness 
is  shown  in  Section  5.  An  example  of  formal  verification  of  the  Concurrent  Facto¬ 
rial  program  is  given  in  Section  6.  In  Section  7  we  extend  the  FTSL  by  allowing 
quantification  over  the  points  of  time.  Section  8  contains  some  general  remarks. 

2  Trace  Transition  Systems 

The  trace  systems  were  introduced  by  Mazurkiewicz  [13]  as  semantics  of  Elemen¬ 
tary  Net  Systems.  The  trace  systems  are  isomorphic  to  the  trace  transition  systems 
[22,  6],  which  form  a  subclass  of  the  occurrence  transition  systems  [17,  6],  The 
trace  transition  systems  enjoy  a  nice  structural  characterization,  which  is  taken  as 
their  definition  here.  The  concept  of  a  trace  transition  system  captures  the  main  fea¬ 
tures  of  transition  relation  w  —*  w1  from  state  w  to  w'  by  performing  action  a. 

Definition  2.1  A  trace  transition  system  is  a  4-tuple  T  -  {W,  E,  u;, •„,•*),  where 
W  is  a  set  of  states,  E  is  a  finite  set  of  action  labels,  —>CWxY.xW  is  a  la¬ 
belled  successor  relation,  and  w,mt  €  W  is  the  initial  state,  satisfying  the  following 
conditions: 

Cl.  W  =  {10  |  Winn  «;}.  where  =  {(0,0')  |  (3o  €  E)  ©  -  v'} 
and  — denotes  the  reflexive  and  transitive  closure  of-*1  (reachability  from 

Winit), 

C2.  ( V w  6  W){t;  |  -*'  ©}  0  (— '  is  total), 

C3.  {w  |  10  winit}  =  0  (beginning). 


C4.  (Va  6  E)(Vtr,  w\  w"  6  W)  w  —  w'  and  w  —  w"  implies  w1  =  w" 
(determinism), 

C5.  (Va  €  E)(Vu\  a1',  u.’"  €  H )  u?'  —  w  and  w"  —  w  implies  w'  =  w" 

(no  auto-concurrency), 

C6.  (Va,6  6  E)(Vu\  tr',  w"  £  Vt/’)(3r  €  W)  :  if  w1  —  wand  w"  —  wand 
a  /  6,  then  v  —  a’"  and  v  —  w1  (backward-diamond  property), 

C7.  Let  I  =  {(a,  6)  (E  £2  |  (3ui,  u/,  t v"  £  W) :  w'  w,  w "  —  it’  ant/ a  /  6}, 

(Va,6  €  E)(Vtt\  a-',  u,’"  €  VK)(3t?  €  W)  :ifw  ^  w',  w  -  w",  and 
(a,  b)  £  /,  //ten  w'  —  v  and  w"  -2*  r  (forward-diamond  property), 

C8.  (Va,6  6  E)(Vu7,  u/,  u/'  £  H/)(3u  €  W)  :  i/u?  w'  —  w"  and  (a,b)  £  /, 
//ten  u?  —  v  —  it’"  (concurrency  closure  property). 

Condition  C2  is  an  inessential  restriction  of  the  class  of  the  trace  transition  systems, 
which  allows  to  consider  only  infinite  paths  and  enables  a  simpler  axiomatization. 

The  forward  and  backward  paths  are  defined  as  follows.  Let  u?0  6  W.  A 
forward  path  x  starting  at  wo  is  a  maximal  sequence  of  states  and  actions  x  = 
tt’oaott’iai . . .  such  that  te,  —  ti>,+i,  for  all  i  >  0.  A  backward  path  x  starting  at 
wo  is  a  sequence  of  states  and  actions  x  =  woaowiai  ...wk  such  that  U7f+i  ^  w„ 
for  all  i  <  k,  and  tr*  = 


3  First-order  TSL 

Syntax 

The  logic  js  formalized  in  the  usual  first-order  language  with  identity,  equipped 
with  the  symbols  for  temporal  operators  treated  as  logical  connectives  to  be  used 
in  building  formulas.  We  distinguish  two  sorts  of  variables:  Vi  £  SV  (called  static 
variables)  and  zj  £  DV  (called  dynamic,  program,  or  local  variables),  for  natural 
numbers  i  and  j.  That  is,  we  have  a  two-sorted  language.  Its  predicate  and  function 
symbols  act  within  their  sorts,  although  the  identity  is  assumed  to  allow  comparison 
of  all  the  objects  (variables,  terms)  of  whatever  sorts  they  come  from.  We  assume 
there  are  no  function  or  predicate  symbols  on  the  sort  of  dynamic  variables  except 
for  the  equality  just  mentioned.  The  formulas  are  built  up  as  usual  in  a  many-sorted 
language  except  that  quantification  over  the  dynamic  variables  is  not  allowed. 

Formally,  the  sets  of  terms  and  formulas  are  defined  as  follows. 

Definition  3.1  The  set  of  static  termsTs  is  the  least  set  satisfying  the  following  con¬ 
ditions: 

•  all  static  variables  are  in  T„ 


•  all  individual  constants  are  in  T„ 


•  whenever  f  is  an  n-ary  function  symbol  and  <t _ ,tn  £  T„  then 

f{tx,...,tn)  €  T3. 

The  set  of  all  terms  T  is  the  extension  of  Ts  by  the  dynamic  variables;  ie  T  = 
T,  U  DV. 

Definition  3.2  The  set  of  temporal  formulas  T  F  is  the  least  set  satisfying  the  fol¬ 
lowing  conditions: 

•  iftuh  eT,andze  DV,then{tx  =  t2),(z  =  M  €  TF, 

•  if  p  is  an  m-ary  predicate  symbol  andtx,...,tn  e  Taare  static  terms  of  the 
appriopriate  sorts,  then  p(tx, . . . ,  tn)  €  TF, 

•  if  *6TFandv£  SV,  then  ^tp,  ip  A  *,  3 vi\  E(*Uv),  EG*  and 

E\a*  (for  a  6  Ej,  E(*Sv),  E H*  and  EYa *  (for  a  6  E)  are  in  T F. 

Thus  the  language  has  EG,  EXa,  EH  and  EYa  as  unary  connestives  (operators) 
and  E(.U.)  and  E(  .5.)  as  two  binary  connectives  (operators)  on  formulas.  The  no¬ 
tation  with  prefix  E  is  meant  to  indicate  the  interpretation  in  the  sense  there  exists 
a  path  suth  that ....  Otherwise  this  is  the  usual  notation  for  modalities  always,  next 
step  and  until,  together  with  their  past  counterparts.  The  intended  interpretation  of 
the  future  temporal  formulas  is  as  follows:  EG*  -  there  is  a  forward  path  s.t.  * 
holds  along  it;  E(*Uip)-  there  is  a  forward  path  s.t.  eventually  v  holds  and  al¬ 
ways  before  *  holds;  EXa*  -  *  holds  in  the  next  moment  in  the  future  after  ex¬ 
ecuting  a.  For  the  past  formulas  the  interpretation  is  the  same  but  with  backward 
paths  replacing  the  forward  ones. 

Semantics 

Definition  33  The  language  is  interpreted  in  the  relational  structures  (models)  of 
the  form  At  =  (F ,  A.T ,  S),  where 

•  F  =  (W,  E,  — ,  Winit)  is  a  trace  transition  system, 

•  A  is  a  carrier  set, 

•  I  is  an  interpretation  of  the  function  and  the  predicate  symbols  (i.e.,  (A,  I) 
is  a  first-order)  relational  structure  as  usual  in  model  theory,  possibly  many- 
sorted), 

•  S  :  W  x  DV  — *  A  is  a  valuation  of  the  dynamic  variables. 

We  write  \VM  to  denote  the  set  W  of  F  in  W .  By  a  valuation  of  the  static  variables 
we  mean  a  function  V  :  SV  — ►  A.  The  valuation  functions  are  extended  to  T,  in 
the  standard  way,  V3  :  T,  — •  A. 
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The  satisfaction  relation  of  a  formula  ^  to  be  satisfied  by  a  valuation  V  in  a  model 
M  at  a  state  tro,  {M,  V,  w0)  p,  is  defined  by  induction  on  the  complexity  of  the 
formula: 


•  (M,  V,  wq)  N  (t\  =  <2)  V»(h )  =  Vs(t 2).  for  ,  <2  €  T$ , 

•  (M,V,  w0)  N  (s  =  t)  iff  5(  w0,  s)  =  V,(t ).  for  *  €  DV,  t  €  Tt, 

•  (M,  V,w0)  (=  p{ti tm) iff  Xp(V,(ti) . Vs(tm)),  where  p  6  P  is  an  m- 

ary  predicate  symbol  and  fj , . . . ,  fm  6  Ts, 

•  (M,  V,  wo)  ->p  iff  (M,V,  wo)  p, 

•  (M,  V,w0)  |=  p  A  ip  iff  (M,V,  wo)  (=  p  and  (M,V,  w0)  )=  4\ 

•  (M,V,  wo)  )=  Vvp  iff  for  every  a  €  A,  (M,V'.  wo)  |=  p,  where  V'(v')  = 

V(v')  for  v'  6  SV  \  {»}  and  V'{v)  =  a, 

•  {M,V,  wo)  (=  3 iv  iff  there  exists  a  €  A  such  that  (M,  V,  w0)  (=  p,  where 

V'(v')  =  for  v'  €  SV  \  {v}  and  V'(i>)  =  a, 

•  (M,  V,  w0)  |=  E(pU  p)  iff  there  is  a  forward  path  x  -  w0a0wiai . . .  and  k  >  0 

with  (M,  V.  u’fc)  0,  and  for  all  0  <  i  <  k:  (M,  V,  Wj)  \=-  p, 

•  (M,V,wo)  EGp  iff  there  is  a  forward  path  x  -  tr0ao  tt’iai  •  •  •  s.t.  for  all 

i  >  0:  (M,  V,Wi)  |=  p, 

•  ( M,V,w0 )  \=  EXap  iff  (3u;  €  W^)(tr0  —  w  and  (M ,  V,  w)  p), 

•  (M ,  V,  wo)  f=  E(pSxli)  iff  there  is  a  backward  path  x  —  woaowiai . . .  Wk  and 

k  >  0  with  (M,  V,  Wk)  i>,  and  for  all  0  <  i  <  k:  (M,  V,  it,)  )=  p, 

•  (M,  V,  wo)  EHp  iff  there  is  a  backward  path  x  =  itoao  ^iai . .  •  w*  s.t.  for 

all  0  <  i  <  k:  {M ,  V,  w<)  |=  p, 

•  (M,V,w0)  |=  EYap  iff  (3 w  e  W){w  -  w0  and  (M,V,  w)  \=  p). 

We  also  need  the  following  definitions: 

•  ( M,V)\=p  =f  {M,V,w)\=.  p  for  each  w  €  W, 

•  {M ,  w)  p  *=f  (M,V,  w)  (=  p  for  each  valuation  V, 

•  M  )=  p  1if  (M,  V)  ^  p  for  each  valuation  V . 
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4  Proof  system 

We  shall  need  the  following  abbreviations: 

•  p  V  v  d=  -<(-ip  A  ->$),  ^  s>  i'  dU  -,p  V  0, 

•  true  J  ip  v  ->>?,  /a/se  dU  -.true,  p  =  t  *=  (p  =>  )  A  ( v  =>  ^), 

•  A£  v5  =;  ->£6'-v,  EF v?  =;  E(trueUp),  AGp  d=  -^EF^p, 

•  E Pp  d—  E(trueSp),AHpd=  -,EP-*p, 

.  >L\W  Hi  ->EXa-ip,  AYap  dU  -*EYa-'<p,  EX p>  d=  Va€S  £*aS3, 

.  EYpdtJ\Ja^EYap,AXp  =f  ^FX^p,  AYpd=  ->EY-ip. 

•  £*•(*)  t'  ^  A  £A'(y-  A  £A'(*3  A  ...£A'(y-)...)) 

(the  operator  EX  occurs  i  times,  for  i  >  0), 

•  EX°(p,p) dU  p,  EX'{p,rb)d=  p/\  EX(pA  EX(p/\  ...EX(v)...)), 

AX°(p,  tl;)  dU  p,  AX'(p,  i')  dU  p  a  AX{p  A  AX{p  A  ...A.V(tf )...)), 
(the  operator  EX(  AX )  occurs  i  times,  for  i  >  0), 

•  EXai...anp  J  EXai  . .  .EXanp,  fora! . .  ,an  €  E*, 

•  Aa>^)  =  EPEF(EYatrue  A  EYi,true),  for  a,  6  €  E, 

Axioms 

AO.  all  formulas  in  the  form  of  the  tautologies  of  the  classical  propositional  cal¬ 
culus 

Al.  vj  =  Vj  and  zj  =  z},  for  each  natural  j 

A2.  EXa(p  A  =  EXa(p)  A  EXa(ip),  for  a  €  E  (determinism) 

A3.  £GV  =  <^a£A'(£G9) 

A4.  f:(v?^)  =  ^V(9Ai:A(£(y^^))) 

EYa(p  A  #)  =  £ra(v?)  A  EYa(i'),  for  a  €  S  (no  auto-concurrency) 

A6.  EHp  =  ph  (AY false  V  EY{EHp)) 

A7.  E(pSxl>)  =rp\/(pr\  EY(E(pSiv))) 

A8.  AXaEYap  for  a  6  E  (relating  past  and  future) 
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A9.  <p  =>  AYaEXa<p  for  a  €  S  (relating  past  and  future) 

A10.  EXtrue  (infiniteness  of  paths) 

All.  EP(  AY  false)  (beginning) 

A12.  EYaAYw  =>  A\\E\'ap>,  fora  ^6  (backward-diamond property) 

A13.  (I(a,b)  A  EXaAXb'j)  ^  AXf,EXa<p,  fora  ^  6  (forward-diamond  prop¬ 
erty) 

A14.  (/(a,  b)  A  EXaEXbV)  =>  EX>,EXap>  (concurrency  closure  property) 
A15.  VivCt7)  =>  <»?((),  <  €  T, 

A16.  3r£A'ayj(r)  =  EA'a3rv?(r)  (Barcan  formula) 

A17.  VvEX^iv)  =  EXa'iv^iv)  (Barcan  formula) 

A18.  3 tv  =  ■’Vt >-v 

A19.  (AY' false  A  £A'„<rue)  =>  3t>£'.Yu(^  =  u),  for  j  €  w  and  u  €  S' 

A20.  (ti  =  t^)  =  ( AG(ti  =  t-2 )  A  AH (t i  =  <2)),  for  tj, (2  €  £»* 

A21.  p(*i, . . tm)  =  (AG(p(*i - -  «m))  A  AH(p(ti,. . tm))),  where  p  is  any 

m-  argument  predicate  symbol 

A22.  (ui  =  v[  A  . . .  A  t?„  =  v'n)  =>  (/(»!,. =  /(t’i,  •  •  O).  where  /  is 

any  n-argument  function  symbol 

A23.  (i’j  =  v(  A  ...  A  t’m  =  v'm)  =>  (p(ul,...,t7„)  =  p( <)),  where  pis 
any  m-argument  predicate  symbol. 

Proof  rules 

MP.  <p,  <p  =>  ib  h 

Rl.  <p  ^  ^  £A'0 <p  =>  EXaif 

R2.  <p  I-  £ya<p  EYai> 

R3.  {<£  =►  EXuEX'iv)}^*  1-  $  =>  EXuEGp>,  foru  €  S* 

R4.  {£Xu£X‘'(<p,  =>  </>},€w  I-  EXuE(vUv)  =>  <£,  for  u  €  E“ 

R5.  AK /a/se  =>  AG<p  h  >p 

R6.  <p  =>  0  h  9  =»  Vi7^(y),  t>  not  free  in  <p 
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5  Completeness 

In  this  section  we  show  that  the  proof  system  is  sound  and  complete. 

Lemma  5.1  ([22])  For  every  model  M  and  w  £  \VM, 

(a)  (M,  w)  |=  EG<piJf(M,w)  E X'(p)  for  each  i  £  *>, 

(b)  (.M,  u’)  |=  E(<p(J M .  i v)  f=  EX'iif,  c),  for  some  i  £  <*;. 

Theorem  5. 1  The  proof  system  is  sound  and  complete. 

Proof.  Soundness  is  straightforward,  so  we  are  only  concerned  here  with  proving 
completeness.  To  this  end  let  o  be  a  sentence  that  is  not  provable  in  our  proof  system 
from  a  given  set  Ax  of  axioms,  i.e.,  Ax  I /  o.  We  build  a  model  for  Ax  and  -><r.  That 
is,  we  construct  a  model  M  =  (.F,  A,2,S)with.V(  t=  Ax  and  (,H,  tr)  b  <7,  for 
some  w  £  WM. 

We  follow  the  idea  of  Rasiowa  and  Sikorski  for  constructing  models  on  ultra- 
filters  in  the  Lindenbaum-Tarski  algebra  of  a  given  theory.  (See,  e.g.,  [24]  or  [2].) 
By  axiom  A1 5  and  the  generalization  rule  R6,  the  quantifiers  correspond  to  certain 
sups  and  infs  in  Lindenbaum-Tarski  algebra: 

•  [Vjv]  =  inf{[^(t)}  :  t  £  T,}, 

•  [3iv]  =  3up{[«^(0] :  t  £  T,}. 

By  a  temporal  ultrafilter  we  mean  a  maximal  proper  filter  U  in  the  Lindenbaum- 
Tarski  algebra  of  Ax  preserving  the  sups  and  infs  corresponding  to  the  existential 
and  universal  quantifiers  and  to  the  following  infinite  operations: 

•  [EXuEG<p]  =  infieuilEXuEX1^)]},  foru£E*, 

•  [EXUE(?U*)\  =  sup^EX^EX^,  0)]},  foru  £  E\ 

That  is, 

•  if  [EXuE(pU VO]  €  U,  then  there  is  t  £  w  s.t.  (EXuEX{(<p,  VO]  £  U,  for 
u£S*. 

•  if  [EXuEGy\  #  U,  then  there  is  i  £  u  s.t.  [EXuEX'<p]  $  U,  for  u  £  E\ 

We  construct  the  time  frame  T  of  M  consisting  of  temporal  ultrafilters.  Let  winit 
of  M  be  an  arbitrary  temporal  ultrafilter  containing  the  equivalence  class  of  the 
formula  AY  false  A  EF(-«j).  Such  an  ultrafilter  exists  by  the  Rasiowa-Sikorski 
lemma:  if  a  collection  Q  of  infinite  operations  in  a  Boolean  algebra  is  at  most  de¬ 
numerable,  then  every  non-zero  element  of  the  Boolean  algebra  belongs  to  an  ul¬ 
trafilter  preserving  all  the  operations  of  Q.  It  follows  from  proof  rule  R5  that  the 
equivalence  class  [AY  false  A  ■£’/■’( -><7)]  is  non-zero.  That  is.  Ax  does  not  prove 
-'(AY false  A  £F(->a)).  Otherwise,  Ax  h  (AY false  =>  AG(o))  would  give 
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Ax  h  cr,  by  R5,  contradicting  our  assumption.  For  all  the  temporal  ultrafilters  U 
and  V ,  we  define 

V  -  U'  =f  [EA'aV?]  €  V  implies  [p]  €  U'. 

Now,  the  universe  of  T  is  defined  by 

U'd=  {U  |  3n  >0  3o,,...,an3(-, . Cn-t  Vi  ..Un.,  ^  V). 

The  definition  of  W  is  unambigous  since  one  can  show  that  there  is  at  most  one  U 
for  each  n  >  0  and  each  sequence  aj , . . . ,  an. 

Slightly  abusing  the  notation  we  define  the  relation  —  of  T  as  the  restriction 
of  —  introduced  above  to  W  x  £  x  W.  It  is  easy  to  check  that  the  conditions  C 1 -C8 
hold  (see  [22]). 

To  make  sure  the  above  construction  of  W  is  not  void,  we  show  the  existence 
of  the  appropriate  ultrafilter  for  the  next  step.  That  is,  the  induction  clause  for  the 
statement  that  for  each  n  >  0,  the  appropriate  U  exists,  whenever  the  sequence 
u  =  ai . .  .an  is  such  that  [EXjrue]  €  The  immediate  a-successor  of  a 

temporal  ultrafilter  U ,  denoted  EX^U,  can  be  constructed  as  follows: 

EXaU  d=  (M  |  [EXM  €  U}. 

One  can  show  that  EXaU  is  a  proper  non-principal  temporal  ultrafilter  using  the  ar¬ 
gument  of  Lemma  4.9  in  [  1 8]  and  Lemma  5.6  in  [22].  Let  us  now  show  that  E XaU 
preserves  the  infs  corresponding  to  the  universal  quantifier. 

Assume  that  [^(t)]  6  EXaU,  for  each  term  t.  Then  [EXap{t)\  6  U, 
for  each  t,  by  the  definition  of  EXaU.  Since  U  is  an  utrafilter  preserving  the 
infs  corresponding  to  the  universal  quantifiers,  (Vr£A'ay;(v)]  €  U.  Therefore 
[£AaVtv(  t>)]  €  U  by  axiom  A 17.  Thus  [Viv(u)]  €  EXaU  by  the  definition  of 
EXaU. 

Similarly,  we  can  use  axiom  A16  to  show  that  EXaU  preserves  the  sups  cor¬ 
responding  to  the  existential  quantifier.  Suppose  that  [3tv(®)]  €  EXaU.  Then 
[EXa3vp{ u)]  6  U  by  the  definition  of  EXaU.  Thus  [^v.EA’aV^i;)]  €  U,  by  A16. 
Hence  [EXap(t)\  €  U  for  some  term  t,  since  U  preserves  the  sups  corresponding 
to  the  existential  quantifiers.  Thus  [<?(*)]  €  EXaU  for  some  term  t,  once  more  by 
the  definition  of  EXJJ. 

Now,  we  define  the  other  components  of  M  =  (IF,  A,  1,  S).  For  any  t  6  Ts 
let  [f]=  =  (f  6  T,  |  [f  =  f]  6  tt’mit}.  These  are  the  equivalence  classes  of  the 
identity  relation  according  to  tr,n;t  on  the  static  terms.  It  follows  from  A20  that  if 
[t  =  f']  €  Winit,  then  [<  =  t']  €  w  for  all  w  €  WM .  Let 

•  A  =  {[«]»  |  t  €  T,}, 

.  (I)(ti  =  t2)iff[ti]=  =  [<2]=, 
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•  tl= . [*n]*)  -  [/(<  . . ^n)]=.  for  every  n-placed  function  sym¬ 
bol /and  . <„  £  T3, 

•  ^(p)([^t]  =  '  •  •  •  •  [*m]  =  )  iff  [p(tl,  )1  £  tL’init,  for  every  m -placed  pred¬ 
icate  symbol  p  and  1 1 , . . . ,  tm  £  T„ 

•  S{  w,  z)  =  [«]_  iff  [z  =  f]  £  u;,  for  w  £  W,  z  £  DV ,  and  t  £  T,. 

Notice  that  these  definitions  are  unambiguous.  To  this  end,  observe  that  for  each 
w  €  WM, 

•  £  Winn  iff  [pOi* •  •  €  tc.and 

•  U(h . <n)  =  «]  €  wini tiff  [/(«, . tn)  =  <]  £  w, 

for  any  p,  f,tx - -  tm . tn,  t,  z.  It  follows  from  A19  that  there  is  t  £  T,  such 

that  [z  =  t]  £  w.  It  follows  from  the  transitivity  and  symmetry  of  =  that  for  all 
<i,  *2  €  Ts  if  [z  =  fx],  [s  =  t2]  €  w,  then  [<i  =  t2]  £  u?. 

Lemma  5.2  For  each  formula  <p(  Vo, . . . ,  t?n )  of  FTSL,  whose  free  (static)  variables 
are  among  v0 . vn, 

(*)forall  valuations  V  :  SV  — •  .4,  and  all  w  £  WM, 

(M,V,w)  (=  'piff[<p{vo/to,...,vn/tn)]€w, 

whereto  €  V(v0),. .  .,tn  £  V(vn)areany  representatives  (members)  of  the  equiv¬ 
alence  classes  V(  ro ),...,  V'(  vn). 

Proof.  By  induction  on  the  complexity  of  <p  according  to  a  well-founded  or¬ 
dering  on  the  set  TF  of  temporal  formulas  respecting  Lemma  5.1.  That  is,  EG<p 
must  be  greater  in  this  ordering  than  EX'(<p),  for  each  i  £  w,  and  E(y}Uib)  greater 
than  EX'(<p,  0),  for  each  i  £  u>. 

In  the  case  of  primitive  formulas  t  =  t',  p(tx, . and  z  =  t  the  proof 
follows  immediately  from  the  definitions  of  A,  I,  and  S.  In  the  case  of  negation 
and  conjunction  the  proof  follows  by  the  ultrafilter  properties. 

The  quantifier  step  follows  by  axiom  A15  and  the  generalization  rule  R6.  To 
this  end,  suppose  (M,  V,  w)  h=  Vt^(u).  Then,  4>(t)  €  w  for  each  term  t  by  the 
quantifier  clause,  the  definition  of  the  satisfaction  relation,  and  by  the  inductive  hy¬ 
pothesis.  Thus  also  irc/{[<p{f)]  :  t  £  T, }  £  w,  since  w  is  closed  under  this  inf. 
Hence  (Vr<£(v)]  £  w,  because  we  have  [Vi;0(w)]  =  in/{[<£(*)]  :  t  £  T3}  in  the 
algebra.  For  the  converse  implication,  suppose  [Vv^v)]  £  w.  Then  [<£(*)]  £  w, 
for  each  term  t,  since  [Vr<£(v)]  <  [^(t)].  By  the  induction  hypothesis  this  means 
(M,V,  w)  |=  4>(t)  for  each  term  t.  Hence  by  the  definition  of  the  satisfaction  rela¬ 
tion,  we  get  (M,  V ,  w )  [=  Vv<fi(v). 

The  cases  of  the  temporal  operators  are  similar  to  those  in  [22].  We  give  details 
for  two  of  them. 


0 


10 


Assume  o  is  of  the  form  EG ip,  where  w  is  a  formula  whose  free  variables  are 
among  t’o, ....  t’n-  Then  (M,  V,  w)  o  iff  (M,V,tv)  |=  EX'(H'),  for  each 
i  €  u;,  by  Lemma  5.1.  The  induction  hypothesis  (*)  holds  for  all  the  formulas 
£.Y‘( tp),  for  each  i  €  w.  Thus,  (M.  V,  w)  EX'(tp)  iff  for  each  i  £ 

[£.Y'(t’(tfoAo . vn/tn))]  £  w,  with  t0  €  V'(r0) . /„  £  V'(c„).  Since  w 

preserves  all  the  infs  of  this  form  the  latter  holds  iff  [EGv(  r0/fo . vn/tn )]  € 

w,  with  t0  €  V'(f0) . <„  £  V'( vn ).  That  is  (M,  V',  w)  ^  iff 

0(  I'o/to, ....  rn/ f„)]  6  w,  with  to  €  V  ( ro) . tn  £  V  (i?n  )• 

Now,  assume  <p  =  E(\Uv),  where  \  and  f  are  formulas  whose  free  vari¬ 
ables  are  among  t’o,  ...,vn.  Then  ( M .  V,w)  <t>  iff  (.VI.  V, tv)  £ A'*(\,  tp), 
for  some  i  £  -v,  by  Lemma  5.1.  The  induction  hypothesis,  (*)  holds  for  all  the 
formulas  £.Y'(\,  ip),  for  each  i  £  w.  Thus,  {M,  V,  w)  \=  EX'(\,tp)  iff  for 

some  i  £  w,  [£A’*( \( v0/<o . Vn/tn),i'(vo/t0, . . rn/fn))]  €  w  with  t0  £ 

V(  i*o ),  . . .,tn  £  V(vn ).  Since  w  preserves  the  sups  of  this  form  the  latter  holds  iff 

E(\(vo/to,  •  •  .,vn/tn)Uip(v0/t0 . t’n/fn))]  €  w  with  <0  €  V'(t?0) . tn  £ 

V(vn).  That  is,  (M,\\  tv)  ^  <j>  iff  phi(v0/t0,. .  .,vn/tn)\  £  tv,  with  f0  £ 
V(  vo) . tn  €  V'(fn).  This  completes  the  proof. 

Clearly,  M  is  a  model  with  M  |=  Ax  and(.Vf,  w)  £=  ->cr,  for  some  u?  £  WM. 
which  completes  the  proof  of  the  Theorem  5.1. 

6  Toy  example:  Concurrent  Factorial 

Consider  the  concurrent  program  CONFAC,  shown  in  Figure  1,  for  computing  the 
factorial  n!,  for  each  nonnegative  integer  input  n. 

The  program  has  one  input  variable  x  of  type  Nat,  one  local  variable  y  of  type 
Nat  assumed  to  be  preset  to  0,  and  one  output  variable  2  of  type  Nat  assumed  to  be 
preset  to  1.  CONFAC  is  composed  of  two  processes  (marked  by  the  dotted  lines) 
synchronizing  on  the  action  6  :  y:=x.  There  are  two  control  variables  li  and  I2 
pointing  to  locations  in  these  processes,  respectively.  The  initial  states  of  the  pro¬ 
cesses  are  marked  with  1  and  4,  while  the  terminal  states  with  6  and  4,  respectively. 

The  variables  x,  y,  2,  l\,  and  I2  are  dynamic  variables  according  to  our  termi¬ 
nology. 

The  data  domain  on  which  the  program  operates  is  described  in  the  FTSL  lan¬ 
guage  with  0,  successor,  addition  and  multiplication,  as  the  specific  symbols,  by 
Peano  axioms  with  the  induction  scheme  for  all  the  formulas  of  the  FTSL  language. 
Alternatively,  one  can  admit  the  u,--rule.  The  latter  is  not  a  big  deal  here,  since  we 
already  have  infinitary  proof  rules  anyway. 

The  frame  T  for  CONFAC  on  input  x  =  1  is  shown  in  Figure  2.  The  number 
of  actions  executed  by  CONFAC  depends  on  the  input  (see  Figure  3).  Therefore, 
there  are  different  frames  for  different  inputs. 
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Figure  2:  The  frame  for  CONFAC  on  input  x  =  1 
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As  the  FTSL  temporal  semantics  for  CONFAC  we  take  the  conjunction  of  the 
requirements  listed  below.  It  restricts  the  class  of  the  FTSL  models  to  the  ones  cor¬ 
responding  to  trace  transition  systems  representing  the  computations  of  CONFAC 
on  all  possible  inputs.  One  of  such  models  is  shown  in  Figure  2.  In  order  to  satisfy 
the  restriction  C2  (infiniteness  of  paths)  for  the  trace  transition  systems  represent¬ 
ing  the  computations  of  CONFAC,  we  adopt  the  convention  that  the  final  state  of 
CONFAC  is  repeated  infinitely  often  by  executing  an  additional  “dummy”  action  /. 
This  is  reflected  in  Si.  LetEc  =  {a.b.c,d,e,  /}  be  the  set  of  actions  of  CONFAC. 

•  The  initial  state: 

IS  3v0(AY  false  l  x  —  1  A  /j  =  4  A  i  =  ro  A  y  =  0  A  x  =  1), 

•  The  successor  states: 


51  Vnj,  n2,  n3(/t  -  1  A  l2  =  4  A  x  =  m  A  y  =  n2  A  x  =  n3  A  nx  >  0  => 
(EXallx  =  2  A  /2  =  4  Ai  =  nx  A  y  =  iij  A  :  =  n3)  A  AX(lx  = 
2A/2  =  4Ax  =  niAy  =  n2Ax  =  n3))  a  A,6Sc\{a}  -EXgtrue) 

52  n2, 7i3(/j  =  lA/2  =  4Ax  =  rclAy=7i2Ax  =  7i3Ax  =  0=> 

(EXe(ii  =  6  A  /2  =  4  A  x  =  n,  A  y  =  n2  A  3  =  n3)  A  AX(tx  = 
6  A  l2  =  4  A  X  =  m  A  y  =  n2  A  z  =  n3)  A  A?€sc\{e}  -EXgtrue) 

53  Vni.n2,n3(/1  =  2A/2  =  4Ax  =  njAy  =  n2Az  =  n3  =>  {EXb(lx  = 
3A/2  =  5Ai  =  R,Ay  =  n,Az=n3)A  AX ’(lx  =  3  A  /2  =  5  A  x  = 

A  y  =  n2  A  z  -  n3))  A  f\aeZr-\(b\  ~<EXatrue) 


n3  *  n2))  A  A ge^c\{c,d}  -'EXgtrue) 


S5  Vni,n2,n3(/i  =  lA/2  =  5Ax  =  nxAy  =  n2Az  =  n3  =>  (EX<i(lx  = 
1  A  l2  =  4  A  x  =  m  A  y  =  n2  A  z  =  n3  *  n2)  A  EXa(li  =  2  A  l2  = 
5Ax  =  m  A  y  =  n2Az  =  n3)AAX((lx  =  3A/2  =  4Ax  =  m  A  y  = 
n2  A  z  =  n3  *  n2)  V  lx  =  2  A  l2  —  5  A  x  =  nx  A  y  =  n2  A  z  = 
nz)  A  t\3zzc\{d}  -'EXgtrue) 


S6  Vn1,n2,n3(/i  =  3A l2  =  4Ax  =  nxAy  =  n2Az  =  n3  =>  (EXc(lx  = 

1  A  /2  =  5  A  x  =  m  -  1  a  y  =  n2  A  x  =  n3)  A  AATft/,  =  1  a  /2  = 
5Ax  =  m-  lAy  =  n2Ax  =  n3))  A  A3€sc\{c}  -'EXgtrue) 

S?  Vnltn2,n3(/i  =  6A/2  =  4Ax  =  i^Ay  =  n2Ax  =  n3  =>  ( EXj(lx  = 
6  A  /2  =  4  A  x  =  rij  A  y  =  n2  A  x  =  n3)  A  =  6A/2  =  4Ax  = 
'll  A  ji  =  n2  A  j  =  n3))  A  Aa€£c\{a}  ^ EXgtrue ) 

S8  Vn1,n2,n3(/1  =  2A/2  =  0A1  =  nxAy  =  n2Ax  =  n3  =>  (EXd(lx  = 

2  A  /2  =  4  A  x  =  nx  A  y  =  n2  A  z  =  n3*  n2)  A  AX(lx  =  3  A  /2  = 
4  A  x  =  m  A  y  =  n2  A  x  =  n3  *  n2)  A  A3€ec\ W  -EXgtrue) 
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The  program  is  correct  iff  for  each  natural  number  n,  whenever  the  program  starts 
with  input  x  =  n.  it  eventually  reaches  the  state  with  l\  =  6,/2  =  4  and  output 
z  =  n!.  This  property  can  be  expressed  in  our  formal  language  by  the  formula: 

Spec  =  'ini  AY  false  A  x  =  n  =>  AF(l\  —  6  A  l2  =  4  A  :  =  1*2*...*  n). 

Next,  we  show  that  the  formula  Spec  can  be  derived  from  our  temporal  se¬ 
mantics  TSem  =  /SA51A  ...  A  58  using  the  proof  system,  i.e.,  TSem  l-  Spec. 

We  show  only  the  major  steps  of  the  derivation.  First,  decompose  Spec  to  the 
formulas  1 )  and  2),  from  which  Spec  can  be  easily  derived  using  first  order  calculus 
rules. 

1)  TSem  F  inx(  AY  false  A  x  =  ni  ^  EF{1\  =  6  A  ^  =  4  A  z  =  1*2* 

...»  Hi). 

2)  TSem  F  in(EF(lx  =  6A/2  =  4Az  =  n)  =>  AF(lx  =  6A l2  =  4Az  =  n)) 
Now  in  order  to  prove  2),  we  derive  from  the  specification  Spec: 

•  TSem  F  Vn(£ X^trueJi  =  6A/2  =  4Az  =  n)=>  AX\trueJi  = 
6  A  /2  =  4  A  z  =  n )),  for  each  i  € 

then  using  axiom  .43  we  derive: 

•  TSem  h  Vn(£A'i(true,/l  =  6  A  l2  =  4  A  x  =  n)  =>  AF{lx  =  6  A  l2  = 
4  A  z  =  n)),  for  each  i  €  u>, 

and  then  using  rule  iZ4  we  get: 

•  TSem  F  in{EF{lx  =  6A/2  =  4Az  =  n)  ^  AF(lx  =  6A/2  =  4Az  =  n)) 
Now  in  order  to  prove  1 ),  we  use  axiom  A4  to  derive  from  TSem  : 

•  TSem  F  inx(  AY  false  A  x  =  xi|  A  nx  >  0  ^  EF(lx  —  1A/2  =  4Ax  = 
nj  -  1  A  z  =  nx)), 

•  TSem  F  Vnt .  n3(/x  =  lA/2  =  4Ax  =  n1Ax>0Az  =  n3=>  ££(/x  = 
1  a  l2  =  4  A  x  =  nx  -  1  A  z  =  n3  *  nx )), 

then,  using  induction  on  nx,  we  derive 

•  TSem  F  inx{  AY  false  Ax  =  n1An1>0=>  ££(/i  =  1A/2  =  4Ai  = 
0Az  =  l*2*...*  nx)) 

and  using  axiom  52  and  axiom  A4,  we  get: 

•  TSem  F  Vnx(AF false  A  x  =  nx  =>  EF[lx  =  6  A  l2  =  4  A  x  =  1*2* 

...*  r>i)) 
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7  Quantifying  over  the  time  points 

In  this  section  we  consider  FTSL  with  variables  ranging  over  the  points  of  time. 
For  an  interesting  account  of  the  debate  whether  such  an  approach  is  justified  we 
refer  the  reader  to  [3],  especially  section  2.4.2.  With  no  intention  to  even  enter  that 
discussion  we  just  announce  the  technical  result  of  a  complete  axiomatization  of 
such  logic,  within  the  same  mathematical  framework  as  above. 

The  syntax  of  this  new  logic  is  the  same  as  in  Section  3  above  but  with  one 
more  sort  of  variables  x*  called  the  temporal  variables  (TV,  for  short);  the  same 
sort  as  that  of  a  new  temporal  constant  C  for  the  time  beginning.  We  allow  the  ex¬ 
istential  and  universal  quantification  over  the  temporal  variables.  We  interpret  this 
language  in  the  structures  of  the  same  form  as  above.  Here  by  valuations  we  mean 
mappings  V  =  V3  U  \\  such  that  V,  :5V  —  A  and  Vt  :  TV  — •  W.  The 
satisfaction  relation  is  defined  as  above  with  the  obvious  alterations.  We  include 
C2-C8  in  the  set  of  axioms  now.  Cl  can  be  handled  by  taking  the  reachable  (initial 
segment)  substructure  of  the  time  frame. 

The  same  argument  as  above  gives  the  soundness  and  completeness  theorems. 


8  Conclusions 

We  have  given  a  complete  proof  system  of  the  first-order  version  of  TSL.  This  is 
the  first  known  axiomatization  of  a  first-order  temporal  logic  interpreted  over  trace 
(transition)  systems.  Our  proof  system  can  be  easily  adapted  to  ISTL  [23]  (with 
modalities  ranging  over  maximal  paths)  by  removing  the  formula  I(a,b)  from  ax¬ 
iom  A 13.  The  new  axiom  restricts  the  frames  to  conflict-free  ones. 

It  follows  from  the  completeness  theorem  that  the  set  of  all  theorems  of  FTSL 
is  at  most  II}.  Since  the  validity  problem  for  TSL  is  II}-hard  [20],  it  is  II}-hard 
for  FTSL.  Therefore,  the  validity  problem  for  FTSL  is  n} -complete.  Identifying 
interesting  fragments  of  FTSL  with  low  complexity  is  left  out  as  an  important  open 
problem. 

We  believe  that  FTSL  might  turn  useful  for  proving  most  of  interesting  bran¬ 
ching-time  and  partial-order  properties  of  the  real  life  concurrent  programs  (not 
only  the  academic  toy  examples)  in  an  (human  aided)  axiomatic  way. 

References 

[1]  R.  Alur,  D.  Peled,  and  W.  Penczek,  Model-Checking  of  Causality  Properties, 
Proc.  of  LICS’ 95. 

[2]  J.L.  Bell  and  A.B.  Slomson,  Models  and  Ultraproducts ,  North-Holland,  1971. 

[3]  J.  van  Benthem,  Time,  logic  and  computation,  in:  J.W.  de  Bakker,  W.P.  de 
Roever,  G.  Rozenberg,  eds..  Linear  Time,  Branching  Time  and  Partial  Order 


17 


in  Logics  and  Models  for  Concurrency ,  Lecture  Notes  in  Computer  Science, 
volume  354,  Springer- Verlag,  1989,  pp.  1-49. 

[4]  L.  Bole,  A.  Szalas,  eds.,  Time  and  Logic:  A  Computational  Approach,  UCL 
Press  Ltd.,  London,  1995. 

[5]  E.  M.  Clarice,  E.  A.  Emerson,  and  A.  P.  Sistla.  Automatic  verification  of  fi¬ 
nite  state  concurrent  systems  using  temporal  logic  specifications:  A  practi¬ 
cal  approach.  ACM  Transactions  on  Programming  Languages  and  Systems, 
8(2): 244-263, 1986. ' 

[6]  V.  Diekert  and  G.  Rozenberg,  editors.  The  Book  of  Traces.  World  Scientific, 
Singapore.  1995. 

[7]  E.A.  Emerson.  Temporal  and  Modal  Logic.  In  J.  V.Leuven,  editor,  Formal  Mod¬ 
el*  and  Semantics,  Volume  B,  The  MIT  Press  Elsevier,  1990,  pp.  995-1067. 

[8]  E.A.  Emerson,  and  J.Y.  Halpem,  Decision  Procedures  and  Expressiveness  in 
the  Temporal  Logic  of  Branching  Time,  Proc.  of  Nth  Annual  ACM  Symp.  on 
Theory  of  Computing,  San  Francisco,  pp.  1 69- 1 80, 1 982,  also  appeared  in  Jour¬ 
nal  of  Computer  and  System  Sciences,  vol.  30  (1),  pp.  1-24,  1985. 

[9]  L.  Fix,  O.  Grumberg.  Verification  of  temporal  properties,  CS  Cornell  Univ. 
Ithaca  NY,  TR  93-1368  Aug.  1993. 

[10]  F.  Kroger,  On  temporal  program  verification  rules,  TCS  19(3),  1985,  pp.  261— 
280. 

[11]  S.  Katz  and  D.  Peled.  Interleaving  set  temporal  logic.  Theoretical  Computer 
Science,  75(3):21-43,  1991. 

[12]  K.  Lodaya,  R.  Parikh,  R.  Ramanujam  and  P.S.  Thiagarajan,  A  logical  study  of 
distributed  transition  systems,  Report  IMSC.92.07,  The  Institute  of  Mathemat¬ 
ical  Sciences,  Madras,  India,  1992,  and  to  appear  in  Information  and  Control. 

[13]  A.  Mazurkiewicz,  Trace  theory.  In  W.  Brauer  et  al„  editors,  Petri  Nets,  Ap¬ 
plications  and  Relationship  to  other  Models  of  Concurrency,  number  255  in 
Lecture  Notes  in  Computer  Science,  pages  279-324,  Springer-Verlag,  1987. 

[14]  Z.  Manna,  A.  Pnueli,  Verification  of  concurrent  programs:  temporal  proof 
principles,  in:  D.  Boyer  and  J.S.  Moore,  eds..  The  Correctness  Problem  in  Com¬ 
puter  Science,  Academic  Press,  New  York,  1981,  pp.  215-273. 

[15]  Z.  Manna,  A.  Pnueli,  Unear  Time  Temporal  Logic,  Springer  Verlag,  1991. 

[16]  H.  Andreka,  V.  Goranko,  S.  Mikulas,  I.  Nemeti,  and  I.  Sain,  Effective  tempo¬ 
ral  logics  of  programs,  chapter  2  in  [4], 

[17]  M.  Nielsen,  G.  Rozenberg,  and  P.S.  Thiagarajan,  Transition  systems,  event 
structures  and  unfoldings.  Information  and  Computation  118, 1995. 


18 


[18]  W.  Penczek,  A  temporal  logic  forevent  structures,  Fundamenta Informaticae 
XI,  pp.  297-326, 1988. 

[19]  W.  Penczek,  On  undecidability  of  temporal  logics  on  trace  systems.  Informa¬ 
tion  Processing  Letters  43,  pp.  147-153,  1992. 

[20]  W.  Penczek,  Temporal  logics  on  trace  systems:  on  automated  verification.  In¬ 
ternational  Journal  of  Foundations  of  Computer  Science,  Vol.  4  No.  1,  pp.  31— 
67, 1993. 

[21]  W.  Penczek,  Branching  time  and  partial  order  in  temporal  logics,  chapter  4  in 
[4]. 

[22]  W.  Penczek,  Axiomatizaiions  of  temporal  logics  on  trace  systems,  Funda¬ 
menta  Informaticae  25,  pp.  183-200,  1996. 

[23]  D.  Peled,  A.  Pnueli,  Proving  partial  order  properties,  Theoretical  Computer 
Science  126,  pp.  143-182, 1994. 

[24]  H.  Rasiowa  and  R.  Sikorski,  The  mathematics  of  metamathematics,  North- 
Holland,  1970. 

[25]  A.  Szalas,  A  Complete  Axiomatic  Characterization  of  first-order  temporal 
logic  of  linear  time.  Theoretical  Computer  Science  54,  pp.  199-214, 1987. 

[26]  P.S.  Thiagarajan,  A  trace  based  extension  of  Linear  Time  Temporal  Logic, 
Proceedings  of  LICS‘94. 


INTERLEAVED  PROGRESS 
CONCURRENT  PROGRESS  AND 
LOCAL  PROGRESS 


W.  REISIG 

HUMBOLDT  UNIVERSITY  OF  BERLIN,  GERMANY 


1.  Introduction 

The  relevant  properties  of  distributed  algorithms  can  be  classified  as  safety  and 
liveness  properties,  as  suggested  e.g.  in  [1, 3, 7].  Such  properties  can  adequately  be 
represented  and  proven  by  help  of  Temporal  Logic  [5]. 

We  consider  particular  safety-  and  liveness  properties  in  the  sequel,  called  state- 
and  progress  properties.  They  are  sufficient  to  describe  the  decisive  properties  of  a 
large  class  of  distributed  algorithms.  Furthermore,  there  exist  powerful  proof  rules 
for  such  properties. 

Intuitively  formulated,  a  state  property  p  characterizes  a  subset  of  system  states 
( p-states ).  A  state  property  p  is  said  to  hold  in  a  system  E  iff  each  reachable 
state  of  E  is  a  p-state.  Correspondingly,  a  progress  property  is  based  on  two  state 
properties,  and  characterizes  a  subset  of  runs :  A  progress  property  (p,g)  holds  in 
a  run  w  iff  each  p-state  in  w  is  followed  by  a  g-state  in  w .  In  the  setting  of  linear 
time  temporal  logic,  which  we  assume  exclusively  in  the  sequel,  a  progress  property 
( p ,  q)  holds  in  a  system  E  iff  (p,  q)  holds  in  each  reachable  run  of  E. 

This  informal  characterization  of  progress  properties  is  far  from  unique.  We  will 
discuss  and  mutually  relate  three  versions  of  progress  properties,  called  interleaved, 
concurrent  and  local  progress.  Each  of  which  has  its  own  merits. 

We  concentrate  on  properties  that  also  are  considered  in  the  logic  ISTL  of  [8]. 
We  suggest  proof  techniques  that  reveal  simpler  proofs  in  many  cases. 

2.  Elementary  System  Nets 

The  description  of  an  algorithm  usually  goes  with  the  implicit  assumption  of 
progress.  As  an  example,  each  execution  of  a  PASCAL  program  is  assumed  to 
continue  as  long  as  the  program  counter  points  at  some  executable  statement.  The 
situation  is  more  involved  for  distributed  algorithms:  Progress  is  usually  assumed 
for  most,  but  not  necessarily  all  actions. 

As  an  example,  Fig.  2.1  shows  a  quite  simple  producer /consumer  system,  Ei- 
One  may  intend  Ei  not  to  terminate  in  a  state  with  deliver  enabled.  Likewise 
one  may  want  receive  and  consume  not  to  remain  enabled  infinitely.  Not  enforcing 
produce  may  however  be  adequate;  this  action  may  depend  on  the  environment 
of  Ei,  not  represented  in  Fig.  2.1.  The  action  produce  is  said  to  be  quiescent 
in  this  case  (and  inscribed  with  “<?”)>  whereas  all  other  actions  are  progressing . 
Consequently,  each  acceptable  run  of  Ei  turns  out  to  be  either  infinite  or  terminates 
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A  :  ready  to  produce 
B  :  ready  to  deliver 
C:  buffer  empty 
D :  buffer  filled 
E  :  ready  to  remove 
F  :  ready  to  consume 


a :  produce 
b  :  deliver 
c  :  remove 
d :  consume 


Figure  2.1.  es-net  Ei:  producer /consumer  with  quiescent  produce 


in  the  initial  state.  Distributed  Algorithms  frequently  assume  fairness  for  some 
progressing  actions.  This  issue  is  not  covered  here;  we  refer  to  [11-13]  instead. 
Finally,  loops  are  frequently  convenient. 

This  leads  to  a  class  of  Petri  Nets  that  have  not  been  identified  in  the  literature 
so  far:  One-safe  place/transition  nets  with  quiescent  and  fair  transitions.  This  class 
is  worth  being  named  by  its  own,  and  we  have  chosen  the  term  elementary  system 
nets ,  in  accordance  with  advanced  system  nets ,  considered  elsewhere. 

As  usual  we  write  a  net  N  as  N  =  (P,T,F).  We  employ  standard  notations 
such  as  mx  and  x •,  denoting  the  pre-set  and  the  post-set  of  x  £  PUT  ov  x  C  PUT, 
respectively.  Due  to  the  intended  use  of  nets,  the  elements  of  P  and  T  will  frequently 
be  called  local  states  and  actions ,  respectively.  We  employ  the  usual  graphical 
representation  of  nets,  depicting  elements  of  P ,  T  and  F  as  circles,  squares  and 
arcs,  respectively.  P^,  Tat  and  Fat  will  denote  P,  T  and  F ,  respectively. 

Enabledness  and  occurrence  of  actions  are  defined  as  follows: 

Definition  2.1.  Let  N  be  a  net. 

(1)  Any  subset  a  C  PN  of  local  states  is  called  a  (global)  state  of  N. 

(2)  An  action  t  E  TV  is  enabled  in  a  C  PN  iff'tCa  and  (t*  \  *t)  H  a  =  0. 

(3)  Let  a  C  PN  and  t  E  Tat*  Then  eff(a,t)  :=  (a  \  *t)  U  is  the  effect  of  t’s 
occurrence  on  a. 

(4)  LettETflibeenabledataCPiy.  Then  (a,  t,  eff  (a,  t))  is  a  step  of  N ,  written 
a-^-+eff(a,  t). 

(5)  Any  finite  or  infinite  sequence  ao  -^4  ax  -^4  a?  . . .  of  steps  a^i  a* 
(i  =  1,2, . . .)  of  N  is  an  N- based  interleaved  run.  a0  is  its  initial  state. 

(6)  Let  t  6  Tn  and  let  w  =  ao  —4ai  -^4. . .  be  a  N -based  interleaved  run.  w  is 
said  to  respect  progress  of  t  iff  to  each  state  ai  that  enables  t  there  exists  an 
index  j  >  i ,  with  tj  6  (*£)*• 

An  elementary  system  net  has  an  initial  state  and  declares  each  action  either  as 
progressing  or  as  quiescent. 
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Definition  2.2.  A  net  E  is  called  an  elementary  system  net  ( es-net ,  for  short)  iff 

(1)  a  state  as  Q  Pz  is  distinguished,  called  the  initial  state  of  E, 

(2)  each  action  in  Xs  is  denoted  as  either  progressing  or  quiescent. 

The  initial  state  as  is  graphically  depicted  by  a  dot  in  the  corresponding  circle, 
and  each  quiescent  action  is  inscribed  with  uqn .  Reachable  states  and  runs  of 
elementary  system  nets  are  defined  as  follows: 

Definition  2.3.  Let  E  be  an  elementary  system  net . 

(1)  A  state  a  C  Ps  is  reachable  in  E  iff  there  exists  a  E -based  run  w  =  ao 

...  )  flu  with  aQ  ~  Us  and  a^  a. 

(2)  A  E -based  interleaved  run  w  =  ao  —^a\  — ^ ...  is  an  interleaved,  reachable 
run  of  E  iff  w  respects  progress  of  each  progressing  action  of  E  and  ao  is  a 
reachable  state  of  E. 

In  the  sequel  we  also  employ  concurrent  runs  of  es-nets.  They  can  be  defined  as 
usual  for  en-systems,  and  are  based  on  occurrence  nets : 

Definition  2.4.  A  net  K  is  called  an  occurrence  net  iff 

(1)  for  each  p  £  Pk ,  \*p\  <  1  and  |p#|  <  1, 

(2)  for  each  t  £  Tk,  |#£|  >  1  and  |t#|  >  1, 

(3)  the  transitive  closure  F£  of  Fk,  frequently  written  <k,  is  irreflexive  (i.e. 
xi  Fkx2Fk  •  •  •  FKxn  implies  xx  ^  xn), 

(4)  for  each  x  £  Pk  U  Tk ,  {y  \  y  <k  is  finite. 


Figure  2.2.  The  unique  infinite  concurrent  run  of  Ei  starting  at  a^t 

Fig.  2.2  shows  an  element  labelled  occurrence  net.  <k  is  a  strict  partial  order 
in  each  occurrence  net  K .  In  fact,  x  <k  y  iff  there  exists  an  arrow  sequence  from 
x  to  y. 

We  are  particularly  interested  in  states  consisting  of  pairwise  unordered  places 
and  consider  each  occurrence  net  canonically  as  an  es-net,  with  the  minimal  local 
states  constituting  the  initial  state: 

Definition  2.5.  Let  K  be  an  occurrence  net 

(1)  K  is  element  labelled  iff  a  set  M  and  a  mapping  l  :  Pk  U  Tk  — M  is 
assumed. 

(2)  Two  elements  p,q  €  Pk^Tk  are  concurrent  iff  neither  p  <k  q  nor  q  <k  P- 

(3)  A  state  a  C  Pk  is  concurrent  iff  its  elements  are  pairwise  concurrent. 

(4)  A  state  a  C  Pk  is  maximally  concurrent  iff  a  is  concurrent  and  for  all 
P  €  Pk  \  a  holds:  a  U  {p}  is  not  concurrent. 

(5)  Let  °K  :=  {A;  £  K  \  *k  =  0}  and  let  K°  :=  {k  £  K  \  =  0}. 


-  v 
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(6)  A  state  a  C  Pk  is  reachable  in  K  iff  a  is  reachable  from  the  initial  state  °K. 
The  above  definitions  immediately  imply: 

Lemma  2.6.  Let  K  be  an  occurrence  net  and  let  a-^b  be  a  step  of  K. 

(1)  If  a  is  concurrent ,  then  b  is  concurrent ,  too; 

(2)  If  a  is  maximal  concurrent,  then  b  is  maximal  concurrent,  too. 

(3)  Each  reachable  state  a  C  P%  is  maximally  concurrent. 

According  to  the  (above  described)  intended  use  of  an  occurrence  net  K  to 
describe  a  run  of  a  net  E,  each  reachable  state  a  of  K  represents  a  state  of  E  that 
might  have  been  observed  during  the  course  of  K.  Two  a-enabled  actions  of  K 
represent  concurrent  (independent)  occurrences  of  the  corresponding  actions  of  E. 

Definition  2.7.  Let  E  be  a  net  and  let  K  be  an  element  labelled  occurrence  net. 
K  is  a  Y -based  concurrent  run  iff 

(1)  in  each  concurrent  state  a  of  K,  different  elements  of  a  are  differently  la¬ 
belled, 

(2)  for  each  t  G  TK,  l{t)  e  TE,  l{*t)  =  *l(t)  and  1(f)  =  l(t)\ 

According  to  this  definition,  Fig.  2.2  in  fact  shows  a  concurrent  run  that  is  based 
on  the  producer/consumer  system  in  Fig.  2.1.  The  notion  of  progress,  above  already 
defined  for  interleaved  runs,  is  even  more  intuitive  for  concurrent  runs: 

Definition  2.8.  Let  E  be  an  es-net,  let  t  6  7s  and  let  K  be  a  Y-based  concurrent 
run  with  labeling  l. 

(1)  K  is  said  to  respect  progress  of  t  iff  t  is  not  enabled  at  l(K°). 

(2)  K  is  a  reachable  concurrent  run  of  E  iff  l(°K)  is  reachable  in  Y  and  K 
respects  progress  of  each  progressing  action  of  E. 

Fig.  2.2  outlines  a  reachable  concurrent  run  of  Ej.  There  is  in  fact  exactly  one 
infinite  concurrent  run  of  Ei  that  starts  in  the  initial  state  of  Ei.  As  a  further 
example,  the  es-net  E2  as  given  in  Fig.  2.3  evolves  exactly  two  concurrent  runs 
starting  at  the  initial  state  of  E2.  They  are  shown  in  Fig.  2.4. 


3.  State  Properties 

Technically,  a  state  property  of  an  es-net  E  is  a  subset  of  states  of  E.  We  describe 
state  properties  by  help  of  propositional  formulas,  taking  the  local  states  of  E  as 
propositional  axioms: 

Definition  3.1.  Let  P  be  a  set  of  symbols.  Then 

(1)  each  local  state  p  €  P  is  a  state  formula  over  P,  and 
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Figure  2.4.  The  concurrent  runs  of  E2 


(2)  if  p  and  q  are  state  formulas  over  P,  then  ->p  and  p  A  q  are  state  formulas 
over  P. 

Let  sf(P)  denote  the  set  of  state  formulas  over  P.  Validity  of  state  formulas  is 
defined  as  can  be  expected: 

Definition  3.2.  Let  E  be  an  es-netf  let  p}  q  be  state  formulas  over  Ps  and  let 

oCPs  be  a  state.  Then  a\=  p  (“a  is  a  p-state”)  is  inductively  defined  as  follows: 

a  |=  p  iff  p  €  a,  for  p  G  Ps, 

a\=  ->p  iff  not  a  ^  p, 

a\=  p  Aq  iff  a  \=  p  and  a  |=  q. 

Furthermore  E  \=  p  (i(p  holds  in  E”j  iff  each  reachable  state  o/E  is  a  p-state. 

Of  course,  we  apply  the  usual  propositional  conventions  such  a s  pV q,  p  -+  q  etc. 
S  | —  p  can  frequently  be  proven  by  help  of  assertional  reasoning:  One  proves 
that  p  holds  initially  and  for  each  transition  t  of  N  one  shows,  considering  p  and 
t  only,  that  each  step  a  b  preserves  p.  The  well  known  techniques  of  place 
invariants  and  traps  are  examples  for  assertional  reasoning. 

The  following  notations  turn  out  useful  in  the  sequel: 

Definition  3.3.  Let  E  be  an  es-net. 

(1)  With  P  =  {pi, . . .  ,pn}  C  Ps,  the  formula  pi  A  •  •  *  A  pn  is  frequently  written 
pi...pn  or  just  P. 

(2)  Let  K  be  a  E -based  concurrent  runf  let  p  €  sf(Ps)  and  let  L  C  PK.  Then  L 
is  said  to  have  a  reachable  p-state  iff  there  exists  a  set  M  C  PK,  reachable 
from  L,  such  that  l(M)  is  a  p-state  . 

For  example,  let  K  be  the  run  of  Fig.  2.2  and  let  L  =  {si,  S2}  Q  Pk  be  concurrent 
with  l(si)  =  B  and  /(s2)  =  C.  Then  L  has  a  reachable  A  A  D-state  as  well  as  a 
reachable  B  A  D-state,  but  no  reachable  A  A  C-state. 
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4.  Interleaved  Progress 

In  accordance  with  other  formalisms  such  as  UNITY,  interleaved  progress  is 
described  by  help  of  formulas  formed  p  1-4  q  (“p  leads  to  q ”).  Validity  of  such  a 
formula  in  an  es-net  E  is  based  on  its  validity  in  all  interleaved  runs  of  E: 

Definition  4.1.  Let  E  be  an  es-net  and  letp,q  6  sf(Ps). 

(1)  For  any  E -based  interleaved  run  w  let  w  (=  p  i-4  q  iffw  has  a  q-state  provided 
its  initial  state  is  a  p-state . 

(2)  E  1=  p  h4  q  iff  for  each  reachable  interleaved  run  w  of  E  holds:  w  (=  p  1-4  q. 

For  example,  in  the  producer/consumer  system  Ei  holds  B  i-4  A  but  not  A  t-4  B. 
Likewise,  in  E2  holds  ABC  ^FVG,  and  in  E3  holds  AB  h4  E  and  At-*  E,  but 
not  AB  i-4  AD. 


Figure  4.1.  A  technical  example,  E3 

Elementary  leads-to  properties  can  be  picked  up  from  the  static  structure  of  an 
es-net.  To  this  end  we  define: 

Definition  4.2.  Let  E  be  an  es-net  and  let  Q  =  {^1? . . . ,  qn}  C  Ps. 

(1)  Q  is  progress  prone  iff  Q  enables  at  least  one  progressing  action  of  E. 

(2)  Q  prevents  an  action  t  G  T  iff  for  mt  =  {pi, . . .  ,pm}  holds:  The  state  formula 
(<7i  A  •  •  •  A  qn)  -4  -i(pi  A  •  •  •  A  pm)  holds  in  E. 

(3)  U  C  T  is  a  change  set  of  Q  iff  U  ^  0  and  Q  prevents  each  t  eQ*\U. 

The  pick-up  rule  for  progress  is  now  captured  in  a  Theorem: 

Theorem  4.3.  Let  E  be  an  es-net f  let  Q  C  be  progress  prone  and  let  U  C  Ts 
be  a  change  set  ofQ.  Then 

£|=<2^  V  eff (<?,«). 

ueu 

Proof.  Let  w  =  ao  -^4ai  ...  be  a  reachable  interleaved  run  of  E  and  let  ao  be 

a  Q-state.  Then  a0  enables  a  progressing  action  u  with  *u  C  Q  (as  Q  is  assumed 
to  be  progress  prone).  Furthermore,  mu  C  a0  (by  Definition  3.2).  Then  there  exists 
an  index  j  >  1  with  tj  E  (*u)*  (by  Definition  2.3(2)  and  Definition  2.1(6)).  Then 
there  exists  an  index  l  <  j  with  tt  E  QV  Let  k  be  the  smallest  such  index.  Then 
a*  |=  eff {Q,tk)>  Furthermore,  tk  E  U  (as  U  is  assumed  to  be  a  change  set  of  Q), 
hence  a*  f=  Vuet/  e8(Q,u).  Then  w  |=  Q  i-4  Vu€(/eff(Q,u)  with  Definition  4.1(1) 
and  the  proposition  follows  with  Definition  4.1(2).  □ 

This  Theorem  in  fact  allows  to  pick  up  Ei  f=  BC  AD  with  Q  =  BC  and 
U  =  {b}  but  not  Ei  (=  A  i-4  B  because  A  is  not  progress  prone.  Furthermore, 
E2  |=  DBE  i-4  DG  V  EF  with  Q  =  DBE  and  U  =  {c,  d};  even  more,  E2  (=  BD  h-4 
DG  V  F  with  Q  =  FD  and  U  =  {c,  d}. 
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Not  all  valid  leads- to  properties  can  be  picked  up  this  way.  But  many  such 
properties  can  be  gained  as  the  result  of  combining  picked  up  properties  by  help  of 
the  following  Lemma: 

Lemma  4.4.  Let  E  be  an  es-net,  and  let  p  and  q  be  state  formulas  o/E. 

(1)  If  E  f=  p  -*  q  then  E  [ =  q. 

(2)  If  E  {=  p  »->  q  and  Y  {=  q  r  then  E  \=  p\-±  r. 

(3)  If  E  |=  p  r  and  E  |=  q^  r  then  E  | —  (pV  q)  ^  r. 

Proof  of  this  Lemma  just  applies  Definition  4.1  and  is  left  to  the  reader.  The 
transitivity  of  ^  can  graphically  be  depicted  by  p  4  g  4  r,  and  a  disjunctive 
formula  p4(gi  V*-*V  qn )  by 


(4-1) 


qi 


qn 


3.BC 

a/*  /\b 


1.A - >  2.AB, 


s.CDi-S-^e.E 


4.AD 


Figure  4.2.  Proof  graph  for  E3  (=  A  i-»  E 

Proofs  of  leads-to  properties  can  thus  nicely  be  presented  as  proof  graphs  (in  [7] 
called  proof  lattices).  As  an  example,  the  proof  graph  of  Fig.  4.2  proves  E3  |= 
A  E.  With  the  invariants  ii  =  A  +  (7  —  B  —  D  =  0,  i2  —  A  +  C  +  E  =  \  and 
i3  =  B  +  D  +  E  =  1  its  nodes  are  justified  as  follows: 


Node  1: 

ii  implies  A  -¥  B  V  D 

node  2: 

trivial; 

node  3: 

B  prevents  c  by  13; 

node  4: 

A  prevents  c  by 

node  5: 

trivial. 

As  a  further  example,  the  proof  graph  of  Fig.  4.3  proves  E2  |=  AB  DG . 

The  question  mark  at  arc  inscriptions  indicates  that  enabledness  of  action  d  was 
not  guaranteed. 


Figure  4.3.  Proof  graph  for  E2  ^  AB  4(FV  DG) 
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5.  Concurrent  Progress 

Concurrent  progress  is  described  by  help  of  formulas  formed  p  q  (“p  causes 
g”).  Validity  of  such  a  formula  in  an  es-net  E  is  based  on  its  validity  in  all  concurrent 
runs  of  E. 

Concurrent  progress  is  weaker  than  interleaved  progress:  E  | —  p  q  implies 
E  (=  p  <-»■  g.  Vice  versa,  E  |=  p  q  implies  E  f=  p  q  in  case  q  is  a  disjunction 
V  Q  of  a  set  Q  C  Ps  of  atomic  state  formulas.  In  this  case,  causes  formulas  can 
be  employed  for  proving  leads-to  formulas.  As  the  pick-up  rule  for  causes  formulas 
is  more  expressive  than  the  pick-up  rule  for  leads-to  formulas,  concurrent  progress 
frequently  reduces  the  size  of  proof  graphs  for  leads-to  properties. 

Definition  5.1.  Let  E  be  an  es-net  and  letp^q  E  sf (P^). 

(1)  For  any  E -based  concurrent  run  K  let  K  |=  p  q  iff  K  has  a  reachable 
q-state  in  K,  provided  °K  is  a  p-state. 

(2)  E  |=  p  q  iff  for  each  reachable  concurrent  run  K  of  E  holds:  K  \=  p  q. 

Examples  for  valid  causes  formulas  p<->  q  are  Ex  [=  B  ACE ,  E2  (=  ABC 
ABE  and  E3  (=  AB  CB.  The  corresponding  leads-to  formulas  p  »->  q  are  not 
valid  in  the  respective  es-nets. 

The  causes  operator  allows  for  proof  graphs: 

Lemma  5.2.  Let  E  be  an  es-net  and  Zetp,  g,r  E  sf (P^). 

(1)  £  (=PM-P 

(2)  //E|=p4g  and  E  |=  g  e-»  r  then  E  (=p4r. 

(3)  //  E  |=  p  r  and  E  |=  g  r  then  E  (=  (p  V  g)  4  r. 

Proof  of  this  Lemma  just  applies  Definition  5.1  and  is  left  to  the  reader.  It  is 
likewise  easy  to  show  that  causes  is  in  fact  weaker  than  leads-to : 

Lemma  5.3.  Let  E  be  an  es-net  and  let  p  €  sf(Ps). 

(1)  Let  q  E  sf (Ps).  If  E  |=  p  g  then  E  |=p<4g. 

(2)  Let  Q  C  and  let  q  :=  \/  Q.  If  E  f=  p  g  then  E  ^  p  ^4  g. 

The  concurrent  pick-up  rule  again  is  based  on  change  sets  of  progress  prone  sets 
of  states: 

Theorem  5.4.  Let  E  be  an  es-net ,  let  R  C  Q  C  Ps,  Zet  P  6e  progress  prone  and  let 
U  be  a  change  set  of  R  such  thafU  C  P.  T/ien  E  |=  Q  <-4  (Q\P)A(VuGt/eff(P,u)). 

Proof.  Let  K  be  a  reachable  concurrent  run  of  E  and  let  °K  be  a  Q-state.  Let 
Sr  C  Sq  C  °K  with  1(Sr)  =  P  and  Z(Sq)  =  Q.  Then  Z(Sj*)  enables  at  least 
one  progress  prone  action  u  E  (by  construction  of  P).  Then  g  PT°  (by 
Definition  2.8(2)).  Then  there  exists  some  t  E  Sj**  with  Z(t)  E  U  (as  U  is  a  change 
set  of  P).  Even  more,  *t  C  (as  *Z7  C  P  and  Definition  2.7(2)).  Then  (°P\*t)Ut* 
is  a  (Q  \  P)  A  eff(P,  Z(t))- state.  Hence  the  Lemma.  □ 

1.BCE  2.ADE  3.ACF  c A+  4.ACE 

Figure  5.1.  Proof  graph  for  Ex  |=  BCE  «->  ACP 

As  an  example,  Fig.  5.1  shows  a  proof  graph  for  Ex  f=  BCE  ACE .  Each 

node  is  justified  by  immediate  application  of  the  pick-up  rule. 
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1.A - >  2.AB  <^-^4  3.AD  4.CD  5.E 

Figure  5.2.  Proof  graph  for  S3  \=  A  <-»  E 

Likewise,  Fig.  5.2  shows  a  proof  graph  for  S3  | \=  A  <-+  E.  The  first  node  is 
justified  by  the  place  invariant  A  +  C-  B~D  =  l  which  implies  A  (B  V  D). 
All  other  nodes  are  gained  by  immediate  application  of  the  pick-up  rule.  Together 
with  Lemma  5.3(2),  this  proof  graph  coincidently  proves  S3  \=  A  1-^  E.  This  graph 
is  smaller  than  the  direct  proof  graph  of  Fig.  4.2. 

As  a  further  example, 

(5.1)  S2  \=  ABC  AG  V  CF 

is  certainly  valid,  as  with  respect  to  the  two  concurrent  runs  of  E2,  given  in  Fig.  2.4, 
holds  K\  \=  ABC  CF  and  K2  (=  ABC  AG.  But  the  pick-up  rule  of 
Theorem  5.4  does  not  suffice  to  show  (5.1).  Intuitively  formulated,  Theorem  5.4 
does  not  squeeze  sufficient  information  out  of  S2.  Proof  of  (5.1)  in  fact  requires  a 
further  operator,  yields ,  and  is  postponed  to  Chapter  7. 

6.  Round  Based  Algorithms 

Distributed  Algorithms  are  frequently  round  based.  Intuitively  formulated,  each 
concurrent  run  of  a  round  based  algorithm  E  can  be  considered  as  a  sequence  of 
rounds .  Each  round  is  an  instance  of  a  E-based  run  that  begins  and  ends  at  the 
same  global  state  a  of  E  (  in  fact,  mostly  the  initial  state).  Hence,  an  a-state 
will  be  reached  from  any  reachable  state  of  any  concurrent  run  of  E,  formally: 
E  |=  true  e->  a.  This  implies  that  each  finite  concurrent  run  ends  in  an  a-state  and 
each  infinite  concurrent  run  has  infinitely  many  a-states. 

We  will  refrain  from  a  precise  characterization  of  rounds  and  consider  the  more 
general  notion  of  ground  formulas: 

Definition  6.1.  Let  E  be  an  es-net  and  let  p  €  sf (P%)  be  a  state  formula,  p  is  a 
ground  formula  of  E  iff  E  |=  true  «->  p. 

Examples  for  ground  formulas  are  ACE  for  Ei  and  AC  EG  for  E4  in  Fig.  6.1. 
There  is  an  operational  characterization  of  ground  formulas.  It  is  based  on  the 
notion  of  change  sets  as  introduced  in  Definition  4.2(3). 

Theorem  6.2.  Let  E  be  an  es-net ,  let  p  C  and  let  U  be  a  change  set  of  p. 
Then  p  is  a  ground  formula  of  E  iff  E  as  c->>  p  and  for  each  u  €  U  holds : 
E  |=  eff(p,u)  p. 

Proof.  “=>”  is  trivial.  To  show  “<=” ,  let  K  be  a  reachable  concurrent  run  of  E 
and  let  C  be  a  reachable  state  of  K.  For  each  reachable  state  B  C  PK  of  K ,  let 
6(B)  =  [t  6  Tk  \  b  <k  t  <k  c  for  some  b  €  B  and  some  c  €•  C}.  Then  holds: 

(1)  For  each  reachable  state  B  C  PK,  6(B)  is  finite  (by  Definition  2.4(4)). 

(2)  B  is  reachable  from  C  iff  6(B)  =  0. 

(3)  If  A  is  reachable  from  B  then  (5(A)  C  c5(R). 

The  Theorem’s  assumption  of  E  |=  as  p  implies  there  exists  a  reachable  p-state, 
D.  If  6(D)  =  0  then  D  is  reachable  from  C  (by  (2))  and  we  are  done.  Otherwise, 
with  (1)  there  exists  a  reachable  p-state  E  of  K  with  minimal,  nonempty  6(E),  i.e. 
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(4)  for  no  reachable  p-state  E'  holds:  0  ^  5(E')  C  5(E).  Let  t  6  5(E)  be  a 
minimal  element  w.r.t.  <K  (which  exists  according  to  (1)).  Then  *t  C  E 
(by  definition  of  5(E)).  Then  F  :=  (E  \  *t)  U  t*  is  reachable  from  E  and 
5(F)  =  5(E)  \  {*},  hence 

(5)  5(F)  C  6(E). 

Now  we  distinguish  two  cases,  and  first  assume  that  F  is  a  p-state.  Then  5(F)  =  0 
(by  (5)  and  (4)),  hence  F  is  reachable  from  C  (by  (2))  and  we  are  done. 

Otherwise,  F  is  no  p-state.  Then  u  :=  l(t)  €  p*.  Even  more,  u  £  U  (as  U  is 
assumed  a  change  set  of  p).  Then  F  is  an  eff(p,u)-state.  Then  K  has  a  p-state, 
G,  that  is  reachable  from  F  (by  the  Theorem’s  assumption  of  £  |=  eff(p,  u)  «->  p). 
Then  5(G)  C  5(F)  (by  (3))  C  5(E)  (by  (5)),  hence  5(G)  =  0  (by  (4)),  hence  G  is 
reachable  from  E  (by  (2))  and  we  are  done  also  in  this  case.  □ 

As  an  example,  we  prove  that  the  initial  state  ACE  is  a  ground  formula  of  £i  by 
help  of  Theorem  6.2.  The  first  condition,  Ei  |=  os  *->•  ACE,  is  trivially  fullfilled. 
For  the  second  condition  of  Theorem  6.2  we  choose  q  =  {A}  and  U  =  {a}.  Hence 
we  have  to  show:  Si  |=  BCE  c->  ACE.  The  proof  graph 

(6.1)  1. BCE  4  2.ADE  4  3.AC7F  4  4 .ACE 

shows  this  property  .  Its  nodes  are  justified  as  follows: 

Node  1:  context  E ; 
node  2:  context  A ; 
node  3:  context  A . 
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Hence  (6.1)  proves  that  ACE  will  eventually  be  reached  from  any  reachable  state, 
though  (6.1)  does  not  argue  about  all  reachable  states  of  Si,  e.g.  not  about  BDE 
or  BDF.  This  advantage  of  the  causes  operator  is  even  more  evident  in  the  proof  of 
the  ground  formula  AC  EG  of  S4:  It  is  sufficient  to  prove  S4  \=  BCEG  c— >  AC  EG, 
which  in  turn  is  gained  by  help  of  the  proof  graph  ' 

3.  ACFG  , 

c  d 

b  ^  ^ 

(6.2)  1.  BCEG  c— >  2.  ADEG  5.  ACEG 

\  S 

4.  ACHE 

This  proof  graph  concisely  argues  about  16  reachable  states  and  infinitely  many 
concurrent  runs  of  S4!  Generally,  n  consumers  yield  2n  states  and  a  proof  graph 
with  n  +  3  nodes. 

Ground  formulas  support  the  proof  of  any  causes  formulas:  In  Theorem  5.4,  the 
requirement  of  R  to  be  progress  prone  may  be  replaced  by  the  requirement  to  imply 
-> >p  for  some  ground  formula  p: 

Theorem  6.3.  Let  E  be  an  es-net,  let  R  C  Q  C  P%,  let  p  be  a  ground  formula 
of  E  with  E  \=  R  -»p  and  let  U  be  a  change  set  of  R  such  that  *U  C  R.  Then 
Z\=Q^(Q\R)A(VueUeK(R,u)). 

Proof \  Let  K  be  a  reachable  concurrent  run  of  E  and  let  C  be  a  instate  of  K . 
Then  C  has  a  reachable  p-state  D  (as  p  is  a  ground  formula)  and  C  ^  D  (as 
E  |=  R  -*  -ip).  Then  there  exists  a  transition  t  €  C*  with  l(t)  6  U .  Hence  the 
proposition.  □ 


7.  Local  Progress 

Here  we  consider  a  progress  operator  >  (“yields”)  that  again  is  defined  over 
concurrent  runs.  It  squeezes  more  information  out  of  an  es-net’s  structure  than  the 
above  described  causes  operator  does.  Hence  E  \=  p  >  q  implies  E  (=  p  <-4  q,  for 
each  es-net  E  and  all  state  formulas  p,  q  6  sf(Ps).  In  addition  to  a  pick-up  rule 
(in  the  line  of  Theorems  4.3  and  5.4),  there  are  rules  to  embed  yields  formulas  into 
a  concurrent  context  and  to  compose  such  formulas.  Those  rules  are  sharp  enough 
to  prove  (among  other  properties)  the  validity  of  the  above  described  property 
E2  I =  ABC<^AGvCF. 

It  is  the  disjunctive  composition  of  yields  formulas  p  >  q  that  fully  exploits  the 
power  of  the  yields  operator.  Hence  we  define: 

Definition  7.1.  Let  P  be  a  set  and  let  px, . . .  ,pn,  qi, . . . ,  qn  €  sf  (P)  be  state  for¬ 
mulas  over  P.  Then  p  :=  (pi  >  fli)  V  •  •  ■  V  (pn  >  qn)  is  a  yields  formula  over  P.  Let 
Yf(P)  denote  the  set  of  all  yields  formulas  over  P. 

yields  formulas  over  an  es-net ’s  local  states  are  interpreted  over  its  concurrent 
runs: 

Definition  7.2.  Let  E  be  an  es-net ,  letp  :=  (pi  >  qi)  V  •  •  •  V  (pn  >  qn)  €  Yf(Ps)  be 
a  yields  formula  over  Ps  and  let  K  be  a  E- based  run. 

(1)  For  l  <i  <n,  K  \=pi>qi  iff  each  pi-state  L  C  °K  has  a  reachable  qi-state. 

(2)  K  p  iff  for  some  1  <i  <n  holds:  K  \=  pi>  qi. 

(3)  E  |=  p  iff  for  each  reachable  concurrent  run  K  of  E  holds:  K  \=  p. 
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yields  is  in  fact  stronger  than  causes : 

Lemma  7.3.  Let  E  be  an  es-net  and  letp ,  q  E  sf(Ps).  J/E  pt>7  then  E  | =  p  ^  7. 

Proof.  Let  E  | =  pt>  q.  Then  for  each  reachable  run  K  holds:  Each  p-state  L  C  °K 
has  a  reachable  7-state.  Hence  °K  is  no  p-state  or  has  a  reachable  7-state.  Hence 
K  |=  p  q.  □ 

The  operator  >  essentially  differs  from  >-»  and  >  with  respect  to  implication: 
E  |=  p  7  does  in  general  not  imply  E  f=  p  >  7.  Hence  E  |=  p  t-4  7  does  in  general 

not  imply  E  |=  p  >  7.  As  an  example,  E3  | =  C  ^  E  but  not  E3  (=  C  >  E. 

The  yields  operator  allows  of  proof  graphs,  too: 

Lemma  7.4.  (1)  If  E  |=  p  >  7  and  E  (=  7  >  r  then  E  |=  p  >  r. 

(2)  //  E  j=  p  >  r  and  E  |=  7  >  r  then  E  f=  (p  V  7)  >  r. 

(3)  If  E  (=  (p  >  7)  V  (p  >  r)  then  E  (=  p  >  (7  V  r) . 

Proof  of  this  Lemma  just  applies  Definition  7.2  and  is  left  to  the  reader. 

We  stick  to  standard  yields  formulas  in  the  sequel:  Each  state  formula  pi  in 
each  component  pi  t>  qi  is  just  a  conjunction  (written  as  a  subset  according  to 
Definition  3.3(1))  of  local  states: 

Definition  7.5.  Let  P  be  a  set  of  symbols  and  let  p  =  (pi  >  71)  V  •  •  •  V  (pn  >  qn )  E 
Yf  (P)  be  a  yields  formula  over  P.  Then  P  is  said  to  be  standard  iffpi,.  --,pn  Q  P- 
In  this  case ,  pre(p)  :=  pi  U  ■  •  •  U  pn  is  the  precondition  of  p. 

The  validity  of  standard  yields  formulas  can  be  characterized  as  follows: 

Lemma  7.6.  Let  E  be  an  es-nef  let  p>  7  E  Yf(Ps)  be  standard  and  let  K  be  a 
E -based  run.  Then  K  f=  p  >  7  iff  either  p  £  1{°K)  or  L  :=  {k  E  °K  |  l(k)  E  p}  has 
a  reachable  q-state. 

Proof.  For  p  C  P£,  L  C  °K  is  a  p-state  iff  p  C  Z(L).  □ 

Local  progress  can  be  picked  up  from  the  structure  of  an  es-net: 

Theorem  7.7.  Let  E  be  an  es-net ,  let  Q  C  Ps  be  progress  prone  and  let  U  be  a 

change  set  of  Q  with  Q  =  *U .  Then  E  |=  \/ueU  *u  >  uV 

Proo/.  Let  Tf  be  a  reachable  run  of  E.  According  to  Definition  7.2  we  have  to  show: 

(1)  K  |=  *u  >  u*  for  some  u  E  Z7. 

The  formula  \J u£Umu  t>  u*  is  apparently  standard.  In  case  mU  %  1{°K ),  there 
exists  an  action  u  E  U  with  *u  <jL  1{°K)  and  we  are  done  with  Lemma  7.6  and 
Definition  7.2.  Otherwise  * U  C  l(°K),  hence  Q  C  l(°K)  (as  Q  C  #f/),  hence  Z(°if) 
enables  at  least  one  progressing  action  u  E  Q*  (as  Q  is  progress  prone).  Hence  for 
L  :=  {k  e°K  \  l(k)  E  Q}  holds:  L%K°  (by  Definition  2.8).  Hence  there  exists  a 
transition  t0  E  L*.  Before  continuing  the  proof’s  main  stream  we  show 

(2)  If  there  exists  some  t  E  L*  then  there  exists  some  r  E  Tk  with  #r  C  L. 

by  induction  on  the  height  h(t)  of  t :  Inductively  let  h{t)  :=  0  if  mt  C  L  and 

h(t)  =  max{/i(r)  |  r*  n  ^  0}  -{-  1  if  *t  %  L.  Fig.  7.1  outlines  the  forthcoming 
arguments.  If  h(t)  =  0,  then  (2)  holds  with  r  =  t.  Now  for  n  >  1  assume  (2)  for  all 
t 1  with  h(tf )  <  n  and  let  t  E  L*  with  h(t)  =  n.  Then  there  exists  some  s  E  *t\L. 
Furthermore,  l(t)  E  U  (as  U  is  a  change  set  of  Q ).  Then  l(s)  E  Q  (as  *U  =  Q  by 
the  Theorem’s  assumption).  Then  there  exists  some  s'  E  L  with  l(s')  =  Z(s)  (by 
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Figure  7.1.  Outline  of  the  proof  of  (2) 

construction  of  L).  Then  s  and  s'  are  not  concurrent  (by  Definition  2.7(1)).  Then 
s'  <k  s  (as  s'  E  °K).  Then  there  exists  some  t  E  Tk  with  s'F^tF^sF^t.  Then 
h(t)  <  h(t)  (by  construction  of  h ).  Then  there  exists  some  r  E  Tk  with  'rCL  (by 
the  inductive  assumption).  Hence  the  proposition  (2). 

Turning  back  to  the  proof’s  mainstream,  to  €  L •  implies  some  r  E  Tk  with 
*rCI  (by  (2)).  Then  l(r)  E  U  (by  construction  of  L  and  U).  In  order  to  show  (1) 
we  more  concretely  show 
(3)  K\=*l(r)>l(r )* 
by  help  of  Lemma  7.6  as  follows: 

{ke°K  |  l(k)  E  #/(r)}  =  {fc  G  °if  |  Z(lb)  €  Z(V)}  (by  Definition  2.7(2))  =  {k  E 
°if  |  A;  E  #r}  (by  Definition  2.7(1))  =  #r.  Obviously,  r*  is  reachable  from  *r  in  K, 
and  r*  is  a  Z(r#)~state  (by  construction),  i.e.  a  Z(r)#-state  (by  Definition  2.7(2)). 
Hence  (3)  by  Lemma  7.6.  □ 

Components  of  yields  formulas  can  be  embedded  into  a  concurrent  context: 

Theorem  7.8.  Let  E  be  an  es-net ,  let  p,g,r  C  with  p  D  r  =  0  and  let  u  £ 
Yf(Pz)-  IfT,\=(p>q)Vu  then  E  \=  ((pUr)  >  (tf  Ur))  V  u. 

Proof.  Let  K  be  a  reachable  concurrent  run  of  E.  According  to  Definition  7.2(3) 
we  have  to  show: 

(1)  K  |=  ((p  U  r)  >  (q  U  r))  V  u. 

In  case  K  |=  u  we  are  done  by  Definition  7.2(2).  Otherwise  holds  K  \=  p>q,  by  the 
Theorem’s  assumption  E  (=  (p  >  q)  V  u  and  Definition  7.2.  Then  either  p  g  l(°K) 
or  Lp  :=  {k  G  °K  |  l(k)  6  p}  has  a  reachable  g-state,  M  (by  Lemma  7.6).  Then 
either  pUr  2  Z(°if)  or  for  Lr  :=  {k  E  °K  \  l(k)  E  r}  holds:  M  U  Lr  is  reachable 
from  Lp  U  Lr ,  hence  Lp  U  Lr  has  a  reachable  q  U  r-state,  hence  K  |=  {p  U  r)  >  (q  U  r) 
(again  by  Lemma  7.6,  and  by  construction  of  M  and  Lr).  This  implies  (1)  by 
Definition  7.2(2).  □ 

Yields  formulas  can  quite  generally  be  composed,  provided  some  of  the  involved 
components  are  standard  and  their  preconditions  are  sufficiently  disjoint: 

Theorem  7.9.  Let  E  be  an  es-net ,  letp,q,r,s  C  PE  with  (pHr)  C  q,  letu  E  Yf(Ps) 
and  let  v  be  a  standard  yields  formula  with  pre(v)  fl  p  =  0.  Furthermore  assume 
E  (=  (p  >  q)  V  u  and  E  |=  (r  >  s)  V  v.  Then  E  |=  (p  U  (r  \  q)  >  s  U  {q  \  r))  V  u  V  v. 
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Proof.  According  to  Definition  7.2(3)  we  have  to  show  for  each  reachable  concurrent 
run  K  of  S:  K  \=  (pU(r\g)>sU(g\r))  VuVu.  Hence  assume  a  reachable  concurrent 
run  K  of  E. 

If  K  |=  u  or  K  {=  v,  we  are  done  (by  Definition  7.2(2)).  Otherwise  holds 

(1)  Kftv  and 

(2)  K\=(p>q ), 

by  the  Theorem’s  assumptions  and  Definition  7.2,  and  we  have  to  show  K  (= 
PU (r \q)> sU(q\r).  In  casepU(r\g)  %  l(°K),  we  are  done.  Otherwise  let  L  C°K 
with  L  =  {k  €  °K  |  l(k)  e  p  U  (r  \  q)}.  By  Lemma  7.6  we  have  to  show  that 

(3)  L  has  a  reachable  (s  U  (q  \  r))-state. 


Figure  7.2.  Outline  of  the  proof  of  Theorem  7.9 
Fig.  7.2  outlines  the  forthcoming  arguments. 

•  There  exists  a  subset  Lp  C  L  with  1{LP)  =  p  (by  construction  of  L).  Then  Lp 
has  a  reachable  g-state  Lq  (by  (2)  and  Lemma  7.6).  Then  V  :=  ( L  \  Lp )  U  Lq  is 
reachable  from  L  and  V  is  a  ((p  U  (r  \  q))  \  p)  U  g-state  (by  construction)  and  even 
a  (r  U  g)-state  (by  the  Theorem’s  assumption  (rDp)  C  q).  Hence  there  exists  a 
subset  Lr  C  V  with  l(Lr)  =  r. 

•  Let  L  :=  (°K\  Lp)  U  Lq.  L  is  reachable  in  K  and  hence 

(4)  l(L)  is  reachable  in  E,  and 

(5)  Lr  C  L 

because  Lr  C  V  C  L  by  construction  of  Lr,  V  and  L. 

•  Let  K 1  be  the  largest  subnet  of  K  such  that  =  L  (i.e.  K f  coincides  with  the 
elements  of  K  that  are  reachable  from  ( °K  \  Lp)  U  Lq). 

•  Let  v  =  (pi  >  qx  V  •  •  •  V  pn  >  qn).  Then  for  all  1  <  i  <  n  holds:  K  YzPi>q%  (by 
(1)  and  Definition  7.2(2)),  hence  there  exists  a  subset  Li  C  °K  with  l(Li)  =  pi  and 
Li  has  no  reachable  ft-state  (by  Lemma  7.6).  Furthermore,  Li  fl  Lp  =  0  (by  the 
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Theorem’s  assumption  pre(u)  PI  p  —  0),  hence  Li  C  °K'  (by  construction  of  if'), 
hence  K*  ^  pi  >  qi. 

Then  K'  v  (by  Definition  7.2(2)).  Then  Kf  j=  r>$  (by  the  Theorem’s  assumption 
E  \=  (r  >  s)  V  v,  Definition  7.2(2)  and  Definition  7.2(3)).  Then  Lr  has  a  reachable 
5-state,  Ls  (by  (5),  construction  of  K ,  and  Lemma  7.6).  Then  Lls  :=  ( V  \  Lr)  U  Ls 
is  reachable  from  V  and  Vs  is  a  {{r  U  q)\r)  U  s- state,  hence  a  s  U  (q  \  r)-state. 
Furthermore,  Vs  is  reachable  from  L  (by  construction  of  V  and  Lemma  7.4(1)). 
This  implies  (3).  □ 

Theorems  7.7,  7.8  and  7.9  provide  rules  to  pick  up,  to  embed  and  to  compose 
yields  formulas,  sufficient  to  prove  E2  f=  ABC  t-*  AG  V  CF,  as  discussed  in  (5.1). 
The  proof  gives  a  formal  basis  for  an  intuitive  justification  of  (5.1): 

1.  A  >  D,  picked  up:  {a}  is  a  change  set  of  A. 

2.  C  >  E,  picked  up:  {5}  is  a  change  set  of  C. 

3.  ( BD  >  F)  V  {BE  >  G),  picked  up:  {c,  d}  is  a  change  set  of  BDE. 

4.  (AB  >  F)  V  {BE  >  G)  composed,  with  1.  and  3. 

5.  {AB  >  F)  V  {BC  >  G)  composed,  with  2.  and  4. 

6.  {ABC  >  FC)  V  {BC  >  G )  embedded,  with  5. 

7.  {ABC  >  FC)  V  {ABC  t>  AG)  embedded,  with  6. 

8.  ABC  >  {FC  V  AG)  Lemma  7.4(3). 

9.  ABC  {FC  V  AG)  Lemma  7.3. 

We  consider  the  corresponding  proof  in  [8]  less  oriented  at  intuition.  As  a  variant, 
assume  quiescence  for  the  action  a  of  S2.  Then  the  above  discussed  property  (5.1) 
remains  valid.  But  the  above  proof  fails,  because  A  >  D  cannot  be  picked  up 
anymore:  {a}  is  no  change  set  of  A  because  a  change  set  must  contain  at  least 
one  progressing  action.  Proof  of  (5.1)  can  nevertheless  be  conducted  by  help  of 
the  change  set  {a,  d}  of  ABE  (the  action  c  is  excluded  by  the  place  invariant 
A  +  D  +  F  =  1).  Employing  2.,  3.,  5.-9.  of  the  above  proof  we  now  argue  as 
follows: 

10.  {A  >  D)  V  {BE  >  G),  picked  up:  {a,  d}  is  a  change  set  of  ABE. 

11.  {AB  >  F)  V  {BE  >  G)  V  {BE  >  G),  composed,  with  3.  and  10.  From  11.  now 
follows  4.  by  propositional  logic,  and  5.-9.  as  above. 

8.  Conclusion 

This  paper  reports  some  aspects  of  sustained  effort  to  set  an  adequate  basis 
for  Distributed  Algorithms.  One  of  the  outcomes  of  this  effort  is  the  notion  of 
elementary  system  nets  as  introduced  in  Chapter  2,  and  particularly  the  notions  of 
quiescence ,  progress  and  fairness ,  as  required  for  many  real  life  algorithms,  [10-14]. 
The  notion  of  fairness,  as  well  as  the  high  level  formalism  of  system  nets  have  not 
played  any  role  in  this  paper. 

Three  versions  of  temporal  logic  have  been  studied  in  this  paper.  They  are 
examples  of  linear  time  temporal  logic ,  because  for  each  of  them  a  formula  p  is  said 
to  hold  in  a  system  E  if  and  only  if  p  holds  in  each  reachable  run  of  E.  The  three 
versions  of  logic  differ  however  with  respect  to  the  considered  runs  (interleaved 
runs  for  leads-to  and  concurrent  runs  for  yields  and  causes ),  and  with  respect  to 
the  granularity  of  information  that  is  squeezed  out  of  a  concurrent  run  {yields  with 
finer  granularity  than  causes). 


W.  REISIG 


Properties  of  distributed  algorithms  that  are  usually  considered  essential,  can 
mostly  be  formulated  by  help  of  leads-to  formulas  p  q,  where  q  is  a  disjunction 
q  =  V  Q  °f  a  set  Q  of  atoms.  We  have  shown  that  yields  and  causes  can  be  used  to 
prove  such  leads-to  properties  more  elegantly. 

The  deepening  understanding  of  distributed  algorithms  reveals  that  there  are  also 
crucial  properties  that  are  not  captured  by  leads-to  properties.  Examples  include 
the  property  (5.1)  and  rounds:  A  variant  of  E2  with  property  (5.1)  has  been  intro¬ 
duced  in  [8]  as  a  description  of  serializability  of  distributed  database  transactions. 
The  concept  of  rounds  allows  to  simply  structure  the  behaviour  of  many  distrib¬ 
uted  algorithms,  in  particular  algorithms  on  networks  of  communicating  agents. 
The  behaviour  of  many  such  algorithms  E  can  be  described  by  help  of  “regular” 
operators  over  a  finite  set  of  finite,  cyclic,  E-based  concurrent  runs  (more  precisely, 
as  a  regular  Mazurkiewicz  trace  language,  c.f.  [6]  ).  Causes  formulas  p  ^  q  are 
an  adequate  means  to  represent  such  properties.  Their  proof  can  occasionally  be 
simplified  by  help  of  yields  formulas  p  >  q  (as  in  the  proof  given  in  Chapter  6  for 
(5.1)). 

Properties  described  by  causes  formulas  p  q  are  intuitively  obvious.  But 
examples  of  corresponding  essential  properties  of  real-life  distributed  algorithms 
remain  to  be  found. 
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Amir  Pnueli  drew  my  attention  to  E2  (Fig.  2.3)  and  property  (5.1)  a  couple  of 
years  ago.  This  provided  a  sustained  challenge  to  me  and  my  research  group’s  sev¬ 
eral  attempts  to  design  an  adequate  logic  for  concurrency,  and  strongly  influenced 
the  design  of  the  causes  and  yields  operators  given  in  this  paper.  Many  thanks  to 
Amir  and  all  colleagues  mentioned  above. 
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Abstract 

The  sequentiality  postulate  assumes  that  events  occur  in  a  definite  or¬ 
der.  We  explore  some  of  the  boundary  of  applicability  of  this  postulate 
for  the  case  of  sequential  observers,  varying  number  of  observers,  duration 
of  events,  and  variability  of  events.  When  there  is  one  observer  or  events 
are  atomic,  the  sequentiality  postulate  holds,  making  linear  orders  a  fully 
abstract  model  of  concurrent  behavior.  With  more  than  one  observer  and 
with  structured  events  it  fails.  We  show  that  unlimited  observers  and 
variable  events  make  pomsets  a  fully  abstract  model.  Putting  duration 
in  place  of  variability  yields  an  intermediate  situation  in  which  the  se¬ 
quentiality  postulate  does  not  hold  but  pomsets  are  not  a  fully  abstract 
model. 


1  Overview 

It  is  widely  believed  that  trace  or  interleaving  semantics,  which  assigns  a  def¬ 
inite  order  of  occurrence  to  every  pair  of  events,  is  sufficient  for  all  practical 
purposes.  In  support  of  this  belief,  Jonsson  [Jon89]  and  Russell  [Rus89]  show 
that  trace  semantics  is  fully  abstract  for  parallel  computation,  at  least  of  the 
kind  represented  by  Kahn  networks. 

However  these  full  abstractness  results  suffer  from  an  overly  constrained 
notion  of  observer.  In  this  paper  we  consider  a  wider  range  of  observational 
behaviors  or  testing  scenarios ,  and  give  a  detailed  picture  of  just  where  full 
abstractness  for  trace  semantics  becomes  unsound  for  the  eight  scenarios  ob¬ 
tained  by  varying  three  basic  parameters  of  computation,  namely  duration  Z>, 
variability  V,  and  multiplicity  M  of  observers  (“teams”). 

Duration  expresses  the  notion  of  an  ongoing  action,  one  that  can  be  analyzed 
as  a  sequence  of  subactions.  Duration  is  naturally  modeled  as  a  string.  An 
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action  a  may  be  analyzed  as  say  the  string  axa 2  indicating  that  a  decomposes 
into  two  consecutively  performed  actions,  a\  then  a2. 

Variability  expresses  choice,  naturally  modeled  as  a  set  of  alternatives.  An 
action  a  may  be  analyzed  as  say  the  set  {ai,a2}  indicating  that  for  a  to  occur 
means  that  exactly  one  of  a\  or  a2  occurs. 

Multiplicity  expresses  the  notion  of  two  or  more  observers  both  observing 
the  same  run  of  a  computation,  but  from  different  vantage  points.  We  shall 
assume  that  when  two  observers  see  the  same  events  from  different  viewpoints, 
they  agree  on  all  choices  that  have  been  made,  including  those  associated  with 
variability,  but  may  disagree  on  the  relative  order  of  events.  We  understand 
choice  as  absolute,  in  that  it  is  unambiguous  which  of  two  alternatives  has  been 
chosen.  However  we  view  time  as  relative  in  that  two  events  not  occurring  in 
each  other's  light  cone  do  not  have  a  well-defined  order  of  occurrence.  This 
asymmetry  of  choice  and  time,  while  certainly  questionable,  is  consistent  with 
physics  as  standardly  taught. 

Our  results  in  the  case  of  computational  behaviors  consisting  of  single  pom- 
sets  (labeled  partial  orders)  is  summarized  by  the  following  cube. 


DVM 


Figure  1.  Eight  testing  scenarios 

Edges  are  labeled  with  the  number  of  the  relevant  proposition,  while  the 
double  lines  indicate  equivalence,  with  respect  to  distinguishing  power,  of  two 
kinds  of  observational  behavior,  with  the  remaining  lines  then  indicating  strict 
inequalities.  Thus  Proposition  1  shows  that  Duration  on  its  own  makes  a  dif¬ 
ference  while  Propositions  2  and  3  show  that  neither  Variability  nor  Multiplic¬ 
ity  make  any  difference,  neither  on  their  own  nor  as  an  addition  to  Duration. 
Proposition  4  shows  that  in  the  presence  of  Variability,  Multiplicity  does  make 
a  difference.  Moreover  an  unlimited  supply  of  observers  leads  to  full  abstract¬ 
ness  for  pomsets  even  at  VM,  whence  DVM  cannot  be  any  bigger  and  so  must 
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equal  VM.  This  then  has  the  side  effect  of  removing  Duration  as  a  contributing 
factor. 

The  identifications  reduce  the  classes  to  three,  namely  0  =  V  =  M,  D  = 
DV  =  DM ,  and  VM  =  DVM ,  while  Propositions  1  and  4  show  that  these 
three  classes  are  distinct. 

As  a  refinement  of  these  all-or-nothing  results,  Proposition  5  extends  Propo¬ 
sition  4  to  a  hierarchy  theorem:  n  + 1  observers  can  observe  distinctions  invisible 
to  n  observers. 

We  also  consider  processes  as  sets  of  pomsets,  and  show  that  the  identifica¬ 
tions  of  VM  with  DVM ,  and  of  0  with  V,  continue  to  hold.  (Rob  van  Glabbeek 
has  pointed  out  to  us  that  this  cannot  be  improved,  via  examples  separating  D 
from  DV  and  from  DM,  and  0  from  M .) 


2  Background 

Linearly  ordered  multisets  (labelled  chains  up  to  isomorphism)  are  strings.  Pom¬ 
sets  as  partially  ordered  multisets  therefore  constitute  a  generalization  of  strings 
to  partial  orders.  This  model  as  an  extension  of  formal  language  theory  is  due 
to  Grabowski  [Gra81]  who  called  it  a  partial  word,  the  characterization  as  a  par¬ 
tially  ordered  multiset  being  due  to  the  second  author  [Pra82].  Pomsets  with  a 
conflict  relation  are  called  event  structures,  introduced  by  Nielsen,  Plotkin,  and 
Winskel  [NPW81].  Prior  related  notions  are  Mazurkiewicz’s  partial  monoids 
[Maz77,  Maz84]  and  Greif’s  treatment  of  actors  [Gre75].  A  list  of  more  recent 
papers  on  the  topic  [MS80,  Gis88,  Pra86,  AH87,  Win88]  would  be  bound  to  be 
incomplete. 

We  shall  identify  observation  with  linearization.  That  is,  at  least  in  the  case 
of  atomic  events,  an  observer  of  a  pomset  sees  its  events  in  some  linear  order 
consistent  with  the  order  of  the  pomset. 

To  a  zeroth  order  approximation,  two  pomsets  should  be  observationally 
equivalent  when  they  have  the  same  set  of  linearizations. 

The  familiar  theorem  that  (the  graph  of)  a  poset  is  the  intersection  of  the 
set  of  (graphs  of)  its  linearizations  is  due  to  Szpilrajn  [Szp30].  In  our  framework 
posets  are  pomsets  with  no  repeated  elements,  i.e.  the  function  assigning  labels 
to  poset  elements  is  injective.  Thus  in  our  application  Szpilrajn’s  theorem  states 
that  distinct  posets  are  not  observationally  equivalent. 

At  the  other  extreme  from  posets  are  pomsets  over  a  one-letter  alphabet, 
say  the  alphabet  {a}.  In  our  framework  these  amount  to  posets  up  to  iso¬ 
morphism.  (So  pomsets  span  a  spectrum  from  posets-up-to-isomorphism  to 
posets.)  There  are  just  two  two-element  pomsets  over  {a},  which  we  write  as 
aa  (linearly  ordered)  and  a\a  (discretely  ordered).  These  have  the  same  set  of 
linearizations  and  hence  are  observationally  equivalent.  So  whereas  Szpilrajn’s 
theorem  applies  to  posets  this  example  shows  that  it  does  not  apply  to  posets 
up  to  isomorphism. 
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The  meaning  of  a\a  is  that  we  have  two  copies  of  an  activity  a  that  are 
running  in  parallel.  If  a  is  an  instantaneous  event,  as  we  have  been  assuming  up 
to  now,  and  the  possibility  of  exact  simultaneity  is  neglected,  then  there  would 
seem  to  be  no  basis  for  distinguishing  between  aa  and  a|a  in  either  theory  or 
practice. 

If  however  a  has  duration  we  have  the  possibility  of  overlap  for  the  case 
a|a,  but  not  for  aa.  We  may  represent  duration  by  taking  a  to  be  a  pomset  of 
size  two  or  more,  e.g.  the  string  01.  Then  the  only  linearization  of  aa  is  0101, 
whereas  a|a  has  for  its  linearizations  both  0101  and  0011.  Hence  in  the  presence 
of  events  with  duration  it  becomes  possible  to  observe  a  difference  between  aa 
and  a \a.  A  similar  difference  is  observable  if  we  take  a  to  be  0|1.  In  this  case 
the  linearizations  of  aa  are  0101,  0110,  1001,  and  1010,  while  those  of  a\a  are 
those  four  together  with  0011  and  1100. 

Gischer  [Gis88]  shows  that  any  two  pomsets  that  are  observationally  equiv¬ 
alent  for  strings  of  length  two  are  observationally  equivalent  for  strings  of  any 
length,  whence  there  is  no  duration  hierarchy  for  strings.  Gischer  conjectured, 
and  Tschantz  has  shown  [Tsc94],  that  duration  suffices  to  distinguish  any  two 
series-parallel  (N-free)  pomsets.  (A  series-parallel  pomset  is  a  pomset  con¬ 
structive  using  only  the  operations  of  concatenation  ab  and  concurrence  a\b.) 
Hence  series-parallel  pomsets  are  extensional  in  the  presence  of  duration.  (An¬ 
other  striking  corollary  of  this  result  is  that  the  equational  theory  of  concatena¬ 
tion  and  interleaving  of  languages  is  completely  axiomatized  by  the  equations 
for  commutativity  of  interleaving  and  associativity  of  both.) 

Gischer  gives  as  an  example  of  pomsets  indistinguishable  even  with  duration 
the  two  pomsets  N(a,  a,  6,  b)  and  ab\ab,  where  N(l,  2,  3, 4)  is  the  4-vertex  pomset 
ordered  so  that  1  <  3,  2  <  4,  and  1  <  4,  these  constraints  constituting  respec¬ 
tively  the  two  verticals  and  the  diagonal  of  the  letter  Ar,  so  that  V(a,a,6,6) 
is  a&|a&  plus  the  diagonal.  If  they  could  be  distinguished  it  would  have  to  be 
by  a  string  of  a6|a6  not  allowed  by  N(a,  a,  6,  6),  possible  only  by  violating  the 
diagonal  1  <  4  of  the  N.  Hence  1  and  4  overlap;  where  they  do,  2  cannot  have 
started  but  3  must  have  finished,  so  the  other  diagonal  2  <  3  is  satisfied.  But 
that  diagonal  belongs  to  an  isomorphic  copy  of  N(a)  a,  6, 6),  whence  that  string 
must  be  allowed  after  all. 

We  may  further  take  a  to  be  not  just  a  single  string  but  a  set  of  strings, 
that  is,  a  language.  This  provides  a  notion  of  variety  for  a:  we  have  a  variety  of 
choices  of  behaviors  of  a.  When  all  strings  of  a  are  of  unit  length  we  have  variety 
without  duration.  Variety  provides  those  little  unpredictable  hints  that  can 
allow  observers  to  reach  consensus  as  to  the  identities  of  entities  without  them 
being  a  part  of  the  observation  language.  In  some  observations  the  observers 
may  be  unlucky  and  not  get  enough  such  hints;  it  only  matters  that  there  exist 
observations  that  do  provide  sufficient  hints. 

Gischer ’s  argument  above  remains  valid  in  the  presence  of  variety,  giving  a 
pair  of  pomsets  which  variety  does  not  help  distinguish. 

Two  minor  results  concerning  refinements  of  observational  equivalence  in 
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this  setting  are  as  follows. 

(i)  For  a  single  observer,  duration  helps  but  variety  does  not. 

(ii)  For  multiple  observers  to  make  a  difference,  variety  without  duration 
helps  but  duration  without  variety  does  not. 

Our  main  result  is: 

(iii)  With  enough  variety  and  observers  any  two  finite  pomsets  can  be  dis¬ 
tinguished,  even  without  duration. 

Results  (i)  and  (ii)  assign  very  different  roles  to  duration  and  variety.  Du¬ 
ration  is  a  loner  that  can  help,  though  not  always,  as  evidenced  by  Gischer’s 
example  above  of  N(a ,  a,  6,  b )  =  a6|a6.  Variety  on  the  other  hand  is  useless  by 
itself  but  in  collaboration  with  multiple  observers  is  able  not  only  to  outperform 
duration  but,  as  (iii)  shows,  to  make  pomsets  fully  visible,  i.e.  extensional.  The 
proof  of  (iii)  is  via  a  straightforward  reduction  to  the  poset  case,  allowing  us  to 
apply  Szpilrajn’s  theorem. 

A  refinement  of  (iii)  is  that  with  enough  variety,  the  number  of  observers 
needed  to  distinguish  two  pomsets  is  at  most  the  larger  of  the  dimensions  of  their 
underlying  posets.1  This  shows  that  the  hierarchy  of  observational  equivalences 
with  n  observers  is  strict:  n  +  1  observers  can  resolve  more  detail  than  n. 
Although  our  proof  of  this  result  is  not  long,  neither  is  it  at  all  obvious! 

3  Definitions 

The  following  notions  are  essentially  as  in  [Gis84],  We  start  out  by  defining 
labelled  partial  orders  and  their  maps. 

Definition  1.  A  labelled  partial  order  or  Ipo  over  a  set  E  is  a  structure 
(V,  <,  <r,  E)  where  <  partially  orders  V  and  a  :  V  — >  E  assigns  to  each  element 
of  V  an  element  of  E.  When  necessary  we  write  the  components  of  lpo  p  as 
(Vp*  Vpi  ^p)- 

We  think  of  E  as  an  alphabet  of  actions  and  V  as  instances  of  that  alphabet, 
or  events  forming  a  word,  with  the  order  of  occurrences  of  letters  in  the  word 
given  by  <.  The  usual  formal  language  theoretic  notion  of  a  word  obtains  for 
<  linear.  An  atomic  lpo  is  one  with  \V\  —  1. 

Definition  2.  A  map  of  lpo’s  (/,  t )  :  ( V)  <,  <r,  E)  — *  (V7,  <',  <rf ,  E')  consists 
of  a  monotone  map  /  :  ( V \  <)  — ►  {V\  <')  of  posets  together  with  an  alphabet 
map  (function)  t  :  E  — ►  E'  such  that  for  all  v  in  V ,  <rf(f(v))  =  t(<r(v)). 

Certain  maps  of  lpo’s  are  of  special  interest  here.  An  isomorphism  of  lpo’s  is 
a  map  (/,  t)  for  which  /  is  an  isomorphism  of  posets  and  t  is  the  identity  map  on 
E  (so  isomorphic  lpo’s  have  a  common  alphabet).  An  augmentation  of  Ipo’s  is  a 
map  (/,  t )  for  which  t  is  the  identity  function  and  /  is  the  identity  function  on 
the  elements  of  the  poset  (but  not  necessarily  an  isomorphism  of  posets,  i.e.  the 

1The  dimension  of  a  poset  is  the  least  number  of  linearizations  of  that  poset  whose  inter¬ 
section  is  that  poset.  The  notion  is  due  to  Dushnik  find  Miller  [DM41],  see  Kelly  and  Trotter 
[KT82]  for  a  survey. 
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order  may  increase);  an  augmentation  yields  an  augment  of  its  argument.  We 
write  paq  to  indicate  that  q  is  an  augment  of  p ;  this  is  the  converse  of  Gischer’s 
subsumption  relation  q  >-  p  [Gis84]. 

Definition  3.  A  pomset  is  the  isomorphism  class  of  an  lpo. 

More  intuitively  a  pomset  is  an  lpo  in  which  we  pay  no  attention  to  the  choice 
of  the  set  V,  other  than  its  cardinality,  but  retain  all  other  details.  Thus  if  we 
replace  V  =  {0, 1,2}  by  V  =  {5,6,7}  without  otherwise  disturbing  either  <  or 
cr  the  pomset  does  not  change.  With  our  definition  of  observation,  isomorphic 
lpo’s  will  be  seen  to  be  observationally  equivalent,  whence  the  most  we  can  hope 
to  resolve  even  with  multiple  observers  is  pomsets. 

We  shall  understand  a  map  between  two  pomsets  to  be  a  map  between 
representative  lpo’s  of  the  respective  pomsets. 

Definition  4.  A  process  P  is  a  set  of  finite  pomsets.  A  process  is  augment 
closed  when  for  all  paq ,  p  G  P  implies  q  E  P.  The  augment  closure  a(P)  of  P 
is  the  least  augment  closed  process  containing  P. 

We  wish  to  define  observation  in  terms  of  the  notions  of  linearization  and 
substitution ,  which  we  now  define. 

Definition  5.  A  linearization  of  a  pomset  p  is  a  linear  augment  of  p.  We 
write  A(p)  for  the  set  of  all  linearizations  of  p .  This  extends  to  A (P)  for  P  a  set 
of  pomsets,  namely  as  A (P)  =  (J  Mp)* 

Formal  language  theory  has  the  notions  of  homomorphism  and  substitution 
[HU79].  These  both  generalize  immediately  from  strings  to  pomsets.  (This  no¬ 
tion  of  homomorphism  is  quite  different  from  that  of  map  between  two  pomsets: 
the  former  goes  between  sets  of  pomsets,  the  latter  between  single  pomsets.) 

Definition  6.  A  pomset  homomorphism  is  a  function  mapping  pomsets 
on  E  to  pomsets  on  E'.  It  is  determined  by  a  function  /  assigning  a  pomset 
on  E'  to  each  letter  of  E,  It  maps  p  to  the  pomset  whose  set  of  events  is 
the  disjoint  sum  of  the  events  of  the  /(<r(u))’s  over  all  u  G  Vp,  definable  as 
{(w,  v)|w  eVp,  v  e  *}(„(«))}.  Each  (u,  v)  is  labelled  with  <Tj(c 7(u))(v),  i.e.  just  as 
v  was  labelled  in  f(a(u)),  and  ordered  so  that  (u,  v)  <  (u',  v')  just  when  u  <p  u 9 
(i.e.  u  <p  u '  and  u  ^  u')  or  ( u  =  v!  and  v  <j(u)  v*)}  that  is,  lexicographic 
ordering. 

Intuitively  this  is  what  is  obtained  by  substituting  a  pomset  for  each  label  of 
p  and  flattening  the  resulting  nested  structure  in  the  obvious  way.  For  example 
the  homomorphism  taking  a  to  be  takes  aa  to  bebe  and  a|a  to  6c|6c,  while  the 
homomorphism  taking  a  to  b\c  takes  aa  to  (6|c)(6|c)  and  a\a  to  6|6|c|c. 

This  generalizes  to  substitutions  of  sets  of  pomsets  exactly  analogously  to  the 
generalization  of  homomorphisms  of  strings  to  substitutions  of  sets  of  strings 
[HU79],  in  which  the  result  of  substituting  a  set  of  strings  for  a  letter  is  the  set  of 
all  strings  obtainable  by  choosing  any  string  from  each  substitution  instance  of 
such  a  set.  In  lieu  of  a  formal  definition  we  offer  the  example  of  substituting  the 
set  {6,  c }  for  a  in  a|a,  having  two  substitution  instances  of  {&,  c}  and  so  yielding 
the  set  of  three  pomsets  b\b ,  b\c,  c\c  ( c\b  being  isomorphic  to  b\c  as  an  lpo  and 
hence  equal  as  a  pomset).  Just  as  for  formal  languages,  a  homomorphism  can 
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be  viewed  as  the  special  case  of  a  substitution  of  singletons. 

We  may  now  regard  pomsets  as  expressions,  with  the  labels  acting  as  vari¬ 
ables.  Evaluation  is  then  just  substitution:  values  for  the  variables  determine 
the  value  of  the  expression.  Thus  the  pomset  aba  is  an  expression  with  variables 
a  and  b,  and  if  the  value  of  a  is  cd  and  that  of  b  is  {e,  /}  then  the  value  of  aba  is 
{cdecd,  cdfcd}.  With  this  interpretation  of  substitution  in  mind  we  write  p(s) 
for  the  value  of  p  under  the  substitution  s.  By  P(s)  for  a  set  P  of  pomsets  we 
understand  the  union  over  the  elements  p  €  P  of  p(s). 

We  might  say  that  two  pomsets  are  equivalent  when  their  values  are  the  same 
for  all  substitutions.  But  merely  taking  the  value  of  each  variable  to  be  itself 
already  suffices  to  distinguish  distinct  pomsets,  so  this  equivalence  is  trivially 
the  identity  relation. 

The  notion  of  observation  as  linearization,  reflecting  the  sequential  life  of 
an  individual  observer,  leads  to  more  interesting  equivalences.  We  tentatively 
define  an  observation  of  a  pomset  to  be  a  linearization  of  it.  Thus  the  set 
of  all  observations  of  p  is  A(p),  and  the  set  of  all  observations  of  a  set  P  of 
pomsets  is  A (P).  Pomsets  p  and  q  are  equivalent  when  A (p(s))  =  A (q(s))  for  all 
substitutions  s. 

We  now  extend  this  notion  of  observation  to  multiple  observers.  The  idea 
is  that  n  observers  see  n  possibly  different  linearizations  of  the  one  observed 
pomset. 

Definition  7.  An  n-observation  of  a  pomset  p  is  an  n-tuple  of  linearizations 
of  p.  We  write  A „(p)  for  the  set  consisting  of  all  n-observations  of  p,  a  set  of 
n-tuples  of  strings.  For  a  process  P  we  take  An(P)  =  |Jp6P 

Definition  8.  Pomsets  p  and  q  are  n- equivalent ,  written  p  q}  when 
An(p)  =  A n(q).  Likewise  for  processes,  P  =„  Q  when  An(P)  =  A n(P). 

Our  tentative  definitions  of  observation  and  equivalence  are  now  subsumed 
as  1-observation  and  1-equivalence. 

Implicit  in  our  definition  of  n-equivalence  is  a  consensus  between  the  ob¬ 
servers  as  to  which  pomset  of  P  to  linearize,  when  constructing  an  n- observation 
in  An(P).  This  reflects  our  intuition  that  the  observers  agreed  on  what  happened 
but  not  when. 

Finally  we  need  the  notion  of  dimension  [KT82]  in  order  to  show  the  strict¬ 
ness  of  the  hierarchy  of  n-equivalence  in  the  presence  of  variety. 

Definition  9.  The  dimension  of  a  poset  is  the  minimum  number  of  its 
linearizations  such  that  the  intersection  of  those  linearizations  is  that  poset. 
We  take  the  dimension  of  a  pomset  p  to  be  the  dimension  of  the  underlying 
poset  of  a  representative  lpo  of  p. 

4  Observation  of  Single  Pomsets 

In  order  to  capture  duration,  variety,  etc.  we  need  a  parametrized  notion  of 
n-equivalence,  parametrized  by  the  permitted  substitutions.  If  substitutions 
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are  restricted  so  that  the  assignment  to  any  variable  must  come  from  a  class 
C  of  sets  of  pomsets,  e.g.  singletons,  sets  of  one-element  pomsets,  languages 
(sets  of  linear  pomsets),  we  say  that  two  pomsets  are  n-equi  valent  for  C  when 
they  have  the  same  n-observations  of  their  values  for  all  substitutions  where  the 
assignments  to  the  variables  are  drawn  from  C. 

In  the  following  we  are  interested  in  substitutions  that  have  variety  without 
duration,  and  duration  without  variety.  We  denote  these  respective  classes 
of  substitutions  by  Var  and  Dur  respectively.  A  substitution  from  Var  can 
replace  each  label  by  a  set  of  labels.  A  substitution  from  Dur  can  replace  each 
label  by  a  pomset.  The  class  of  substitutions  permitting  neither  duration  nor 
variety,  corresponding  to  mere  renamings  of  labels,  we  call  Atm  for  atomic 
substitutions. 

None  of  our  results  make  essential  use  of  nonlinearity  in  the  substructure  of 
events.  For  example  if  Dur  is  taken  instead  to  consist  of  those  substitutions 
that  replace  labels  by  strings  rather  than  pomsets,  no  modifications  are  required 
to  either  the  following  propositions  or  their  proofs. 

The  first  two  propositions  are  simple,  but  give  some  insight  into  the  respec¬ 
tive  roles  played  by  duration  and  variety. 

We  first  show  that  for  a  single  observer,  duration  without  variety  helps  but 
variety  without  duration  does  not. 

Proposition  1.  1-equivalence  for  Dur  is  strictly  finer  than  1-equivalence 
for  Atm. 

Proof ‘  It  is  finer  because  Dur  includes  Atm.  The  example  of  aa  and  a\a 
shows  strictness.  I 

Proposition  2.  1-equivalence  for  Var  coincides  with  1-equivalence  for 
Atm. 

Proof  This  follows  from  A (p(s))  =  (A(p))(s).  That  is,  we  can  substitute  sets 
for  variables  in  p  and  then  linearize,  or  linearize  p  first  (yielding  a  language)  and 
then  substitute,  with  the  same  result  in  either  case.  Hence  A(p(s))  =  (A(p))(s)  = 
(A  (q))(s)=X(q(s)).W 

Proposition  3.  For  all  n  >  1,  1-equivalence  for  Dur  coincides  with  n- 
equivalence  for  Dur. 

Proof  In  this  case  p(s)  is  a  singleton,  substitutions  being  homomorphisms, 
for  which  An(p(s))  is  the  set  of  all  n-tuples  of  linearizations  of  the  pomset  p(s). 
Hence  Xn(p(s))  can  be  computed  from  A(p(s)).  Thus  if  A(p(s))  =  X(q(s)),  we 
must  have  An(p(s))  =  Xn(q(s))  as  well.  I 

Corollary.  For  all  n  >  1, 1-equivalence  for  Atm  coincides  with  n-equivalence 
for  Atm. 

We  now  come  to  the  main  results.  The  next  two  propositions  show  that 
for  multiple  observers  to  make  a  difference,  variety  without  duration  helps  but 
duration  without  variety  does  not.  The  former,  proposition  3,  is  the  main  result 
in  that  it  shows  that  any  two  pomsets  can  be  distinguished  by  n  observers 
for  sufficiently  large  n.  It  is  noteworthy  that  duration  plays  no  role  in  this 
result!  Since  our  first  explorations  in  this  area  focused  on  the  role  of  duration 
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in  distinguishing  pomsets  we  did  not  at  first  expect  such  a  result.  In  retrospect 
it  is  not  so  surprising,  nor  particularly  deep,  being  a  straightforward  reduction 
to  Szpilrajn’s  theorem.. 

Proposition  4.  For  any  pomset  p  there  exists  n  such  that  p  is  not  n- 
equivalent  for  Var  to  any  other  pomset. 

Proof.  We  use  variety  to  distinguish  the  otherwise  indistinguishable  events  of 
a  pomset.  Let  m  be  the  size  of  p.  We  take  n  to  be  m!.  Consider  the  substitution 
s  mapping  each  letter  a  of  E  to  the  m-e lement  set  {(a,i)|0  <  i  <  m}.  This  is 
enough  variety  for  p(s)  to  include  at  least  one  poset,  call  it  q.  Then  X(q)  has  at 
most  m!  members,  whence  some  m!-tuple  of  Ami((j)  will  contain  all  of  them.  This 
gives  us  a  procedure  for  recovering  p  from  Ami(p(s)).  Discard  m!-tuples  of  Xm\(q) 
not  corresponding  to  posets  (repeated  letters).  From  the  remainder  select  any 
m!-tuple  with  a  maximum  number  of  different  components,  an  ra [-observation 
of  some  poset  q.  Use  Szpilrajn’s  theorem  to  infer  q  from  the  m [-observation. 
Replace  each  label  (a,  i)  by  a  in  q,  to  yield  p.  This  construction  shows  that  the 
p  so  recovered  will  be  independent  of  the  choice  of  poset  from  p(s).  I 

The  argument  for  proposition  4  can  be  extended  to  show  that,  for  any  class 
including  Var,  rc-equivalence  for  increasing  n  forms  a  strict  hierarchy.  Our  par¬ 
ticular  witnesses  to  this  hierarchy  are  independent  of  the  class  of  substitutions. 

Proposition  5.  For  every  n  >  1  there  exist  pomsets  p  and  q  such  that  for 
any  class  C  of  substitutions  including  Var,  p  and  q  are  n-  1-equivalent  for  C  but 
not  n-equi valent  for  C. 

Proof.  It  suffices  to  consider  pomsets  over  a  one-letter  alphabet,  i.e.  posets 
up  to  isomorphism.  (Note  that  Szpilrajn’s  theorem  separates  even  isomorphic 
posets,  and  cannot  be  applied  directly  here.)  Given  n  we  take  for  our  coun¬ 
terexample  a  certain  pair  p,  q  of  posets  of  dimension  n .  Using  essentially  the 
same  argument  as  in  Proposition  4  we  show  that  as  one-letter  pomsets  p  and  q 
cannot  be  n-equi valent  for  Var,  and  hence  for  any  larger  class.  We  then  show 
that  they  are  n- 1-equivalent  for  any  class. 

We  take  p  to  be  the  standard  poset  Sn  [KT82],  having  2 n  elements 
{ao, . . . ,  an_i,  6o, •  •  • , &n-i},  ordered  so  that  a,*  <  bj  just  when  i  ^  j.  An  equiv¬ 
alent  description  of  Sn  is  as  the  lattice  of  atoms  and  coatoms  of  an  n-atom 
Boolean  algebra.  Sn  is  known  to  have  dimension  n  [KT82].  We  take  q  to  be 
Sn  augmented  with  ao  <  &o*  (As  pomsets,  p  and  q  are  determined  only  up  to 
isomorphism,  so  augmenting  p  with  a,-  <  6,*  for  any  i  yields  the  same  pomset  q.) 
Since  q  has  2n  elements  it  is  of  dimension  at  most  n  [KT82].  Hence  p  and  q  are 
not  n-equivalent  for  Var.  The  role  of  Var  here  is  as  for  Proposition  4,  namely 
allowing  us  to  treat  pomsets  as  posets. 

For  n-  1-equivalence,  suppose  some  linearization  of  an  element  of  p(s)  violates 
dj  <  bi  for  some  i,  necessary  if  we  are  to  distinguish  p  and  q.  Then  there  is  a 
point  in  that  string  where  a,-  has  not  yet  finished  (at*  could  have  duration  in  the 
general  case)  yet  6t-  has  started.  The  constraints  of  p  require  that  at  that  point 
all  the  other  aj ’s  are  done  (for  bi  to  start)  and  none  of  the  other  bj ’s  have  started 
(since  a,*  is  not  yet  done).  Hence  for  every  j  ^  i,  aj  <  bj}  that  is,  there  can  be 
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at  most  one  violation  of  a,-  <  6*  for  any  i  in  any  one  linearization.  But  then  any 
n-  1-observation  of  p(s)  can  collectively  violate  at  most  n  —  1  of  the  constraints 
of  the  form  at-  <  &,*.  This  always  leaves  one  such  constraint  unviolated,  which  is 
consistent  with  observing  g.  Hence  the  n-  1-observations  of  p(s)  must  coincide 
with  those  of  q(s )  for  all  s.  I 


5  Observation  of  Processes 

A  process  is  a  set  of  pomsets,  as  per  Definition  4.  All  our  definitions  of  lineariza¬ 
tion,  n-equivalence,  etc.  have  been  formulated  to  hold  for  processes  in  general, 
with  single  pomsets  identified  with  singleton  processes. 

The  following  shows  a  basic  limitation  of  all  the  testing  scenarios  considered 
in  this  paper  when  applied  to  processes. 

Proposition  6.  Observationally  equivalent  processes  have  equal  augment 
closures. 

Proof Any  pomset  p  of  a  process  P  must  be  visible  to  a  team  of  size  dim( P ). 
If  Q  is  observationally  equivalent  to  P  the  same  team  must  be  able  to  observe 
p  as  an  apparent  behavior  of  Q.  Hence  Q  must  contain  a  behavior  q  of  which 
p  is  an  augment,  whence  P  C  a(Q).  By  symmetry  of  equivalence  Q  C  a(P), 
whence  a(P)  =  a(Q). 

Lemma  7.  Let  p  be  a  pomset.  Then  there  exists  n  such  that  for  any  family 
(qi)i  of  pomsets  for  which  A „(p)  C  An(|Ji  g;),  there  must  exist  qj  in  the  family 
such  that  p  is  an  augment  of  q . 

Proof  The  only  g,’s  that  can  contribute  to  An(p)  have  the  same  number  of 
vertices  as  p.  Since  each  n-tuple  in  AndJ^  g,)  arises  from  a  choice  of  a  particular 
g*,  and  since  A n(p)  includes  a  single  n-tuple  completely  encoding  p,  it  follows 
that  some  g,-  must  yield  that  n-tuple.  But  this  is  only  possible  for  a  gt-  of  which 
p  is  an  augment.  I 

Proposition  8.  For  any  two  augment-closed  processes  P  and  Q  there  exists 
n  such  that  P  is  not  n-equivalent  for  Var  to  Q. 

Proof.  Assume  without  loss  of  generality  that  P  contains  a  pomset  p  absent 
from  Q .  Then  p  is  not  an  augment  of  any  pomset  of  Q.  Let  n  be  the  number 
associated  top  by  Lemma 7.  Then  An(p)  cannot  belong  to  An(<2),  whence  An(P) 
contains  n-tuples  not  in  An(Q).  I 

This  generalizes  Proposition  4  to  full  abstraction  for  processes.  Hence  VM 
for  processes  makes  all  possible  distinctions  between  processes,  whence  DVM 
can  only  make  the  same  distinctions.  Thus  for  processes  we  retain  the  VM  — 
DVM  edge  of  Figure  1. 

Proposition  2  showed  that  variability  alone  makes  no  difference  for  single 
pomsets.  But  that  proposition  applies  equally  to  pomsets  and  processes,  whence 
variability  also  makes  no  difference  for  processes  and  we  retain  the  0  =  V  edge 
of  Figure  1. 
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1.  Introduction 

Recall,  as  background,  the  content  of  the  handbook  chapter  [22].  There,  a  model  for 
process  calculi  is  presented  as  a  class  of  objects  (like  transition  systems,  or  Petri  nets), 
equipped  with  a  notion  of  morphism,  so  that  it  forms  a  category.  The  morphisms  represent 
a  form  of  simulation  between  processes,  and  arise  naturally  in  relating  the  behaviour  of  a 
construction  on  processes  to  that  of  its  components.  Basic  operations  of  process  calculi 
may  now  be  understood  as  universal  constructions  (like  product  and  coproduct)  of  the  cat¬ 
egory,  and  so  are  characterised  abstractly,  up  to  isomorphism.  Categorical  notions  also 
come  into  play  in  relating  different  models,  for  instance,  in  relating  the  model  of  transition 
systems  to  that  of  Petri  nets.  Adjunctions,  especially  coreflections,  provide  a  way  to  trans¬ 
late  between  one  model  and  another.  The  understanding  of  the  operations  of  process  calculi 
as  universal  constructions  guides  definitions  away  from  the  ad  hoc ,  while  the  preservation 
properties  of  adjoin ts  help  relate  semantics  in  one  model  to  a  semantics  in  another. 

The  richness  of  the  morphisms  in  the  categories  of  models,  a  richness  which  is  essential 
in  yielding  the  universal  constructions,  means  that  many  objects  with  strikingly  different 
behaviours  are  connected  by  morphisms;  in  particular,  morphisms  of  transition  systems 
relate  transition  systems  which  are  far  from  strongly,  or  weakly,  bisimilar.  The  categories 
do  not  immediately  yield  useful  abstract  equivalences  between  processes.  However,  in 
[8]  it  is  shown  how  a  general  concept  of  bisimulation  arises  from  the  definition  of  open 
map.  The  definition  of  open  map,  applicable  to  all  the  categories  of  models,  picks  out 
those  morphisms  which,  roughly  speaking,  reflect  as  well  as  preserve  behaviour.  It  is  then 
sensible  to  take  two  processes  to  be  bisimilar,  in  a  generalised  sense,  if  they  are  connected 
by  open  maps. 

The  definition  of  open  map  relies  not  just  on  a  categorical  presentation  of  a  model 
(for  example,  as  a  category  rather  than  just  a  class  of  transition  systems)  but  also  on  an 
acceptance  of  a  notion  of  computation  path  and  what  it  means  to  extend  a  computation 
path  by  another.  For  the  interleaving  model  of  transition  systems  a  reasonable  idea  is  to 
take  a  computation  path  (or  run)  as  a  sequence  of  consecutive  transitions,  which  we  can 
think  of  as  picked  out  by  a  morphism  from  a  string  of  action  labels;  here  it  is  hard  to  escape 
from  the  idea  that  extending  a  computation  path  is  associated  with  extending  the  string  of 
action  labels.  For  an  independence  model  like  event  structures  a  reasonable  idea  is  to  take 
a  computation  path  as  a  configuration,  or  more  generally  as  a  morphism  from  a  pomset  to 
the  event  structure;  this  time  several  ideas  suggest  themselves  as  to  how  we  might  extend 
a  computation  path  shaped  like  a  pomset,  because,  roughly,  we  can  extend  a  pomset  in 
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“width”  (adding  concurrent  events)  as  well  as  “height”  (adding  later,  causally  dependent 
events). 

In  the  case  of  familiar  models  like  transition  systems  or  event  structures  the  general  def¬ 
inition  of  bisimulation  specialises  to  familiar  concepts;  in  particular,  on  transition  systems 
with  strings  of  actions  as  paths  we  obtain  Park  and  Milner’s  strong  bisimulation. 

Presheaves  offer  a  method  to  derive  a  model  directly  from  a  path  category  whose  ob¬ 
jects  are  path  shapes  and  whose  morphisms  describe  the  extension  of  one  path  by  another. 
Forming  the  category  of  presheaves  over  a  path  category  has  the  effect  of  freely  closing 
the  path  category  under  small  colimits.  More  intuitively,  a  presheaf  represents  the  effect 
of  gluing  together  a  set  of  computation  paths  to  form  a  nondeterministic  computation;  the 
category  of  presheaves  can  be  thought  of  as  a  category  of  nondeterministic  computations. 
This  intuition  is  backed  up  by  canonical  embeddings  of  traditional  models  into  categories 
of  presheaves  over  appropriately  chosen  path  categories  (cf.  Theorem  4).  Because  the 
original  path  category  embeds  via  the  Yoneda  functor  into  the  category  of  its  presheaves, 
we  automatically  obtain  a  notion  of  open  map  and  bisimulation  on  presheaves. 

A  range  of  models  and  their  notion  of  bisimulation  can  be  understood  in  a  uniform  way 
via  their  represention  as  presheaves.  Here  we  emphasise  the  view  that  presheaves  can  be 
profitably  looked  upon  as  transition  systems,  in  which  the  labels  are  morphisms  of  path 
extension.  This  yields  transition-system  characterisations  of  open  maps  and  bisimulation 
on  presheaves,  and  through  these  to  generalisations  of  Hennessy-Milner  logic  and  games, 
providing  a  more  operational  characterisation.  In  particular,  bisimulation  on  presheaves 
coincides  with  back-and- forth  bisimulation  between  their  associated  transition  systems. 

In  a  way,  by  regarding  presheaves  as  transition  systems  we  can  repay  a  debt  to  the  foun¬ 
dational  influence  transitions  systems  have  had  in  the  theory  of  concurrent  computation. 
Many  original  motivations  and  intuitions  were  formed  around  the  model  of  transition  sys¬ 
tems.  Through  the  medium  of  presheaves,  we  are  able  to  cope  uniformly  with  a  range 
of  models  and  their  equivalences,  from  interleaving  to  independence  models,  and  at  the 
same  time,  by  altering  our  view  a  little,  see  the  approach  as  only  a  slight  adjustment  in  the 
perspective  that  motivated  Park  and  Milner’s  definition  of  strong  bisimulation. 

2.  Models,  Morphisms  and  Computation  Paths 

We  quickly  describe  the  models  and  notions  of  computation  paths  we  shall  use  as  run¬ 
ning  examples. 

Transition  systems  consist  of  a  set  of  states,  with  an  initial  state,  together  with  transitions 
between  states  which  are  labelled  to  specify  the  kind  of  events  they  represent.  Formally,  a 
transition  system  is  a  structure 

( S ,  i,  L)  tran) 

where 

•  S  is  a  set  of  states  with  initial  state  i, 

•  L  is  a  set  of  labels ,  and 

•  tran  C  S  x  L  x  S  is  the  transition  relation.  As  usual,  we  write 


to  indicate  that  (s,  a,  $f)  E  tran. 

A  state  s  is  said  to  be  reachable  when  i  --*■  >  •  •  *  — 

’ ^n* 


5  for  some,  possibly  empty,  string 
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As  morphisms  on  transition  systems  we  take  functions  on  states  which  preserve  initial 
states  and  transitions.  Let 


To  =  (So,  io,  £o» //wio)  ^ 
Ti  =  (Si,h,Lutrani) 


be  transition  systems.  A  morphism  f  :  To  — >  Tx  is  a  function  :  So  — Si  such  that 
cr(zo)  =  i\  and 

(s,a,sf)  E  frano  =>  (<r(s),  a,  ^(s'))  E  fra/ii . 

Morphisms  on  transition  systems  compose  as  functions.  For  the  concerns  of  [22],  mor¬ 
phisms  on  transitions  systems  were  more  general.  They  could  change  labels  and  even  send 
labels  to  undefined.  This  is  necessary  in  relating  the  behaviour  of  compound  processes  to 
that  of  their  components  in  languages  like  Milner’s  CCS,  and  in  obtaining  a  repertoire  of 
universal  constructions,  rich  enough  to  yield  a  general  process  language.  Here  we  concen¬ 
trate  on  bisimulation  for  which  we  can  take  the  simpler  label-preserving  morphisms  as  our 
starting  point — such  label  preserving  morphisms  play  an  important  role  in  the  categorical 
account  of  [22],  for  example,  in  understanding  restriction  and  relabelling  operations  of 
CCS-like  languages  as  universal  constructions. 

We  shall  call  transition  systems  which  look  like  trees  synchronisation  trees.  More  pre¬ 
cisely,  synchronisation  trees  are  those  transition  systems  with  no  loops,  no  distinct  tran¬ 
sitions  to  the  same  state,  in  which  all  states  are  reachable.  Synchronisation  trees  inherit 
morphisms  from  transition  systems,  and  themselves  form  a  category.  The  inclusion  of  syn¬ 
chronisation  trees  in  transition  systems  is  a  left  adjoint  to  the  functor  unfolding  a  transition 
systems  to  a  synchronisation  tree. 

Special  synchronisation  trees  will  play  a  role  in  our  treatment  of  bisimulation.  Consider 
a  (finite)  computation  (or  run)  in  a  transition  system  T.  It  is  a  sequence  of  transitions 


2  =  so 


— the  sequence  might  possibly  be  empty.  Let  us  identify  strings  like  s  =  a  102  •  •  *an  in 
L*  with  “path  shapes”,  rather  special  synchronisation  trees  consisting  of  a  single  branch  of 
transitions 


Then  the  computation  path  in  T  is  identified  with  the  morphism 

p  :  s  —±T 

picking  out  the  chain  of  transitions  in  T.  Morphisms  between  such  path  shapes,  consisting 
of  a  single-branch  synchronisation  trees,  inherited  from  transition  systems  correspond  to 
extensions  of  the  associated  strings.  So  we  can  identify  the  category  of  such  path  shapes 
with  the  (partial-order)  category  of  strings  L* ;  a  morphism  from  string  s  to  string  t  corre¬ 
sponds  to  s  being  an  initial  prefix  of  t. 

We  focus  on  event  structures  as  our  primary  example  of  an  independence  model — other 
independence  models  like  Petri  nets  and  Mazurkiewicz  trace  languages  are  related  to  event 
structures  via  adjunctions  in  [22]  in  such  a  way  that  they  inherit  a  common  notion  of 
bisimulation  (see  [8, 15]). 

Define  a  (labelled)  event  structure  to  be  a  structure  ( E ,  <,  Con ,  /)  consisting  of  a  set  E, 
of  events  which  are  partially  ordered  by  <,  the  causal  dependency  relation ,  a  consistency 
relation  Con  consisting  of  finite  subsets  of  events,  and  a  labelling  function  l  :  E  L, 
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which  satisfy 

{e'  |  e'  <  e}  is  finite, 

{e}  G  Con , 

Y  C  X  G  Con  =>  Y  G  Con, 

X  G  Con  &  e  <  er  E  ^  X  U  {e}  G  Con, 
for  all  events  e,  e'  and  their  subsets  X ,  Y. 

Two  events  e,  e'  G  E  are  said  to  be  concurrent  (causally  independent)  iff 

(e  ^  e'  k  e'  £  e  &  {e,  e'}  G  Con). 

Define  a  configuration  (or  state)  of  E  to  be  a  subset  x  C  E  which  is 
downwards-closed:  Ve,  e'.e'OG^e'Gi,  and 
consistent:  VX  X  finite  &  X  C  x  =>  X  G  Con. 

As  before,  we  restrict  attention  to  label-preserving  morphisms  on  event  structures  over 
a  common  labelling  set  L.  Let  E  =  {E,<,Con,l),E'  =  Con',  /')  be  event 

structures  over  L.  A  morphism  from  E  to  E 7  consists  of  a  function  rj  :  i?  i?'  on  events 
which  preserves  labels  (i.e.  l  -V  ofi)  such  that 

if  x  is  a  configuration  of  E ,  then  is  a  configuration  of  Ef  and  if  for  ex ,  e2  G  z 
their  images  are  equal,  i.e .  7j(ei)  =  7/(e2),  then  ex  =  62- 

In  the  category  of  event  structures,  morphisms  are  composed  componentwise.  The  defini¬ 
tion  of  morphism  on  event  structures  is  rather  abrupt — see  [22]  for  motivation. 

In  the  case  of  an  independence  model  like  event  structures  a  computation  path  carries 
more  structure  than  simply  a  string  of  actions.  This  time  we  take  path  shapes  to  be  finite 
pomsets.  Pomsets  are  special  event  structures  where  all  finite  subsets  of  events  are  con¬ 
sistent.  They  are  essentially  labelled  partial  orders,  and  morphisms  between  them,  got  by 
restricting  those  of  event  structures,  are  injective  functions  which  send  downwards-closed 
sets  to  downwards-closed  sets.  Thus  a  morphism  from  pomset  P  to  pomset  Q  may  not  just 
extend  P  by  extra  events  but  also  relax  the  causal  dependency  relation;  two  events  causally 
related  in  P  may  have  images  no  longer  causally  related  in  Q.  We  separate  the  forms  of 
morphism  corresponding  to  the  different  ways  one  pomset  can  extend  another. 

Definition:  Let  L  be  a  labelling  set.  Define  Pom^  to  be  the  full  subcategory  of  event 
structures  with  finite  pomsets  with  labels  in  L  as  objects. 

Say  a  morphism  m  :  P  — >■  Q  in  Pom^  is  a  prefix  morphism  iff  m  preserves  and  reflects 
the  causally  dependency  order.  Define  Pom£  to  be  the  subcategory  of  Pouil  where  all 
morphisms  are  prefix  morphisms. 

Say  a  morphism  m  :  P  — >■  Q  in  Pom^  is  an  augmentation  morphism  iff  m  is  epimor- 
phic.  Define  Pom£  to  be  the  subcategory  of  Pom^  where  all  morphisms  are  augmenta¬ 
tion  morphisms. 

Proposition  1.  Any  morphism  m  :  P  -4  Q  factors  uniquely  to  within  isomorphism  as 

a  composition  m  =  P  — - . . >  Qo  >  Q  where  a  is  an  augmentation  and  j  is  a  prefix 

morphism . 


3.  Open-Maps  and  Bisimulation 

Assume  a  category  of  models  M — this  could  be  any  one  of  the  categories  of  models 
with  label  preserving  morphisms  of  the  previous  section.  Assume  also  a  choice  of  path 
category,  a  subcategory  P  M  consisting  of  path  objects  (these  could  be  branches,  or 
pomsets)  together  with  morphisms  expressing  how  they  can  be  extended. 
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Define  a  path  in  an  object  X  of  M  to  be  a  morphism 

P  :  P  ->  X, 

in  M,  where  P  is  an  object  in  P.  A  morphism  /  :  X  Y  in  M  takes  such  a  path  p  in  X 
to  the  path  fop  :  P  — ►  Y  in  Y.  The  morphism  /  expresses  the  sense  in  which  Y  simulates 
X ;  any  computation  path  in  X  is  matched  by  the  computation  path  /  o  p  in  Y . 

We  might  demand  a  stronger  condition  of  a  morphism  f  :  X  -*Y  expressed  succinctly 
in  the  following  path-lifting  condition  which  when  satisfied  picks  out  the  open  morphisms. 
For  our  purposes  later,  it  is  convenient  to  define  open  morphisms  with  respect  to  a  subclass 
of  morphisms  Po  of  P — of  course  Po  could  consist  of  all  the  morphisms  of  the  whole 
category  P,  when  we  shall  identify  the  class  of  morphisms  with  P  itself. 

Whenever,  for  m  :  P  — »  Q  a  morphism  in  Po,  a  “square” 


P 
m  I 


Q 


p 


x 


9 


V 

Y 


in  M  commutes,  i.e.  q  o  m  =  /  o  p,  meaning  the  path  /  o  p  in  Y  can  be  extended  via  m  to 
a  path  q  in  Y ,  then  there  is  a  morphism  pf  such  that  in  the  diagram 


the  two  “triangles”  commute,  i.e.  pf  o  m  =  p  and  /  op'  =  q,  meaning  the  path p  can  be 
extended  via  m  to  a  path  p'  in  X  which  matches  q.  When  the  morphism  /  satisfies  this 
condition  we  shall  say  it  is  Po -open. 

Say  two  objects  X\ ,  X2  of  M  are  Pq -bisimilar  iff  there  is  a  span  of  Po-open  morphisms 
/l  >  /2  • 


Xi  x2 

For  the  well-known  model  of  transition  systems  open  morphisms  and  the  bisimulation 
induced  by  them  are  already  familiar: 

Proposition  2.  With  respect  to  a  labelling  set  L,  the  L* -open  morphisms  of  the  category 
of  transition  systems  with  labelling  set  L  are  the  “zig-zag  morphisms”  of  [20]  (the  “p- 
morphism”  of  [18],  the  “ abstraction  homomorphisms”  of[ 4],  and  the  “pure  morphisms” 
of  [3])  i.e.  those  label-preserving  morphisms  (cr,  1^)  :  T  Tf  on  transition  systems  over 
labelling  set  L  with  the  property  that  for  all  reachable  states  s  ofT 
if<r{s)  -2— ►  s'  in  V  then  s  -2— y  u  in  T  and  <r(u)  =  s', 
for  some  state  u  ofT. 

Two  transition  systems  (and  so  synchronisation  trees),  over  the  same  labelling  set  L, 
are  L* -bisimilar  iff  they  are  strongly  bisimilar  in  the  sense  of  [12]. 

In  the  case  of  event  structures  with  Pomi  as  the  path  category  we  obtain  the  equiva¬ 
lence  of  strong  history  preserving  bisimulation  on  event  structures  (see  [8]  or  [15]). 
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In  checking  whether  a  morphism  is  P-open  or  for  P-bisimulation,  for  a  path  category 
P,  it  suffices  to  consider  a  restricted  class  of  morphisms,  sufficient  to  generate  the  category 

p 

Definition:  Let  P  be  a  category.  Let  P0  consist  of  a  subclass  of  morphisms  of  P.  Say  P0 
generates  P  iff  the  only  subcategory  of  P  which  includes  P0  and  all  isomorphisms  of  P 
is  P  itself. 

In  particular,  if  P0  is  a  skeletal  subcategory  of  P,  then  P0  generates  P. 

Example:  The  category  L*  is  generated  by  the  set  of  morphisms  representing  the  exten¬ 
sion  of  a  string  by  a  single  label.  > 

The  category  Pom^  is  generated  by  the  class  of  “atomic”  morphisms  of  two  kinds: 
prefix :  morphisms  m  :  P  — »  Q  in  Pom/,  expressing  that  pomset  P  is  a  prefix  of 
pomset  Q  where  Q  contains  one  more  event  than  P;  som  expresses  that  pomset  Q 
consists  of  a  copy  of  P  with  one  additional  event  adjoined  on  top; 
augmentation:  morphisms  m  :  P  Q  in  PomL  expressing  that  pomset  P  is  an 
augmentation  of  pomset  Q  but  where  the  graph  of  the  causal  dependency  relation  in 
P  contains  one  more  pair  than  that  of  Q;  so  the  pomset  P  consists  of  a  copy  of  Q 
with  one  extra  link  of  causal  dependency  between  previously  concurrent  events. 

To  see  that  this  class  of  morphisms  generates  Pom^,,  note  that  any  morphism  m  :  P  Q 
in  Pomi,  factors  uniquely  (to  within  isomophism)  as  a  composition  m  =  j  o  a  where 

a  :  P  — y  Qo 

expresses  that  P  is  an  augmentation  of  Q0  and 

j  '  Qo  —>■  Q 

expresses  that  Qo  is  a  prefix  of  Q.  Then,  clearly  any  augmentation,  or  prefix,  breaks  down 
into  a  composition  of  basic  augmentations,  or  prefixes,  respectively,  as  above. 

Clearly  PompL  is  generated  by  the  atomic  prefix  morphisms  while  Pom£  is  generated 
by  the  atomic  augmentation  morphisms  described  above. 

Proposition  3.  Suppose  P  is  generated  by  a  subclass  of  morphisms  Po. 

1.  Letting  f  be  a  morphism  of  M,  /  is  P-open  iff  f  is  P0-open. 

2.  Let  X\,Xi  be  objects  of  M.  Then ,  Xi,X2  are  P -bisimilar  iff  X\,Xi  are  P0- 
bisimilar. 

4.  Presheaf  Models 

Given  a  path  category  P  we  can  build  the  category  P  of  presheaves  over  P.2  The 
objects  of  P  consist  of  functors  Pop  — y  Set,  to  the  category  of  sets.  The  morphisms  of  P 
are  natural  transformations  between  functors.  Intuitively  a  presheaf  F  :  Pop  Set  can  be 
thought  of  as  specifying  for  a  typical  path  object  P  the  set  F(P)  of  paths  from  P.  It  acts 
on  a  morphism  m  :  P  -»  Q  in  P  to  give  a  function  F(m)  :  F(Q)  F(P)  saying  how 
Q-paths  restrict  to  P-paths. 

Let  us  see  how  a  model,  like  a  transition  system  or  a  labelled  event  structure,  gives  rise 
to  a  presheaf.  Consider  a  category  of  models  M  and  a  choice  of  path  category  forming 
a  subcategory  P  M.  There  is  a  canonical  functor  from  the  category  of  models  M 
to  the  category  of  presheaves  P.  It  takes  an  object  X  of  M  to  the  presheaf  M(-,X) — 
more  intuitively,  it  takes  the  model  X  to  the  to  the  presheaf  which  for  each  path  object  P 

2  Proofs  for  presheaf  models  can  be  found  in  [8].  A  good  introduction  to  presheaves  can  be  found  in  Chapter 
I  of  [10]. 
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yields  the  set  of  paths  M(P,  X)  from  P  into  X.  The  canonical  functor  takes  a  morphism 
/  :  X  -¥  Y  in  M  to  the  natural  transformation 

M(— ,  /)  :  M(-,  X)  -)•  M(— ,  Y) 

whose  component  at  an  object  P  of  P  is  the  function  M (P,  X)  — »  M(P,  Y)  taking  p  to 
/  o  p — intuitively,  a  path  p  :  P  -»  X  in  X  is  taken  to  a  path  /  o  p  :  P  ->  Y  in  Y . 

Theorem  4. 

(i)  The  canonical  functor  synchronisation  trees,  all  with  labelling  set  L,  to  L*  is  full, 
faithful  and  dense . 

(ii)  The  canonical  functor  from  event  structures,  all  with  labelling  set  L,  to  Pom^  is 
full,  faithful  and  dense. 

The  embeddings  of  Theorem  4  extend  the  Yoneda  embedding  of  P  -)*  P,  regarding  a 
path  object  P  as  the  presheaf  P(— ,  P)  =  M(— ,  P)  because,  in  these  cases,  the  subcate¬ 
gory  P  H  Mis  full.  Now,  if  we  regard  presheaves  as  the  model  M'  and  the  image  of  P 
under  the  Yoneda  embedding  as  its  path  category  P\  we  can  apply  the  general  definition  of 
Section  3,  to  obtain  the  class  of  P'-open  morphisms  of  the  presheaf  category.  They  form 
a  category  of  open  maps  of  the  topos  P,  in  the  sense  of  Joyal  and  Moerdijk.3  The  two 
notions  of  P-open  and  open  map  agree  for  the  models  of  synchronisation  trees  and  event 
structures,  because  generally: 

Proposition  5.  Let  P  be  a  dense,  full  subcategory  of  M.  A  morphism  f  :  X  -»  Y  of  M  is 
P-open  iff  the  morphism  M  (— ,  /)  :  M(— ,  X)  — >  M  (—,Y)  is  an  open  map  of  presheaves. 

When  it  comes  to  relating  notions  of  bisimilarity,  we  must  be  a  little  careful.  It  is  not 
the  case  that  two  synchronisation  trees  are  L*  -bisimilar  iff  their  associated  presheaves  are 
related  by  a  span  of  open  maps  in  L* .  But  this  is  only  because  there  are  presheaves  which 
correspond  to  processes  without  an  initial  state;  in  particular,  there  is  always  a  span  of  open 
maps  between  any  two  presheaves  subtended  from  the  initial  (always  empty)  presheaf. 

A  way  to  get  a  correspondence  is  to  restrict  the  objects  in  the  presheaf  category. 

Definition:  In  the  situation  where  the  path  category  P  of  a  model  M  has  an  initial  object 
/,  a  rooted  presheaf  is  a  presheaf  F  in  which  F(I)  is  a  singleton. 

Remark:  Another  way  to  get  a  correspondence  is  to  define  bisimilarity  in  the  entire 
presheaf  category  via  spans  of  surjective  open  maps.  This  is  the  more  robust  definition, 
and  indeed  the  one  used  in  [8];  it  applies  even  when  the  path  category  does  not  have  an 
initial  object,  and  open  maps  between  rooted  presheaves  are  necessarily  surjective  (see  e.g. 
[23]). 

Proposition  6.  (i)  Two  synchronisation  trees,  over  labelling  set  L,  are  L* -bisimilar 

(i.e.  strong  bisimilar)  iff  their  corresponding  presheaves,  under  the  canonical  embed¬ 
ding,  are  related  by  a  span  of  open  maps  in  the  full  subcategory  of  rooted  presheaves 
of  I?. 

(ii)  Two  event  structures,  over  labelling  set  L,  are  PomL-bisimilar  ( i.e.  strong  history¬ 
preserving  bisimilar)  iff  their  corresponding  presheaves,  under  the  canonical  embed¬ 
ding,  are  related  by  a  span  of  open  maps  in  the  full  subcategory  of  rooted  presheaves 
ofPouxi. 


3  See  [7],  Example  1.1,  though  there  the  definition  is  expressed  in  terms  of  the  existence  of  certain  quasi¬ 
pullbacks;  its  equivalence  with  P; -openness,  expressed  as  a  path-lifting  property,  follows  by  the  Yoneda  Lemma. 
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5.  Presheafs  as  Transition  Systems 

Assume  that  a  path  category  P  has  an  initial  object  /,  and  that  P0  is  a  subclass  of 
morphisms  of  P. 

It  will  be  helpful  to  think  of  a  rooted  presheaf  over  P  as  a  transition  system  with  labels 
taken  from  morphisms  of  P0: 

Definition:  Let  X  be  a  rooted  presheaf  over  P.  Define  its  Po -transition  system ,  denoted 
by  £/p0  (X)  to  consist  of: 

states:  (P,p)  where  P  is  an  object  of  P  and  p  E  X(P)\  take  the  unique  member  of 
X(I)  as  the  initial  state; 
labelling  set:  Po; 

transitions:  (P,p)  -JZL4  (Q,  q)  whenever  m  :  P  -4  Q  in  P0  and  (Xm)(q)  =  p. 

Remark:  The  construction  £lp0(X)  on  a  presheaf  X  is  a  slight  generalisation  of  a  well- 
known  construction  of  a  category  of  elements  of  a  presheaf  (see  e.g.  [10]). 

Notice  what  the  construction  does  on  a  presheaf  X:  it  forms  a  transition  system  with 
“states”  p  E  X(P )  which  by  the  Yoneda  Lemma  correspond  1-1  with  the  computation 
paths  from  P  (or  strictly  its  image  under  the  Yoneda  embedding)  into  X. 

Given  a  morphism  of  presheaves,  i.e.  a  natural  transformation  between  them,  we  obtain 
a  morphism  of  transition  systems;  £lp0  extends  to  a  functor  on  presheaves. 

Definition:  Suppose  /  :  X  — >  Y  is  a  natural  transformation  between  presheaves  X  and 
Y.  Define  £lp0{f)  to  be  the  morphism  of  transition  systems  o  which  acts  on  states  so 
that  (P,p)  h4  (P,  fp(p))\  thus  the  transition  (P,p)  -^-4  (Q,  q)  is  sent  to  the  transition 

(PJp{p))^(Q,fQ(q)). 

(It  takes  a  little  checking  that  £lp0{f)  is  indeed  a  morphism  of  transition  sytems.) 

So,  thinking  of  categories  of  elements  as  transition  systems,  the  associated  functor  is  a 
label-preserving  morphism  of  transition  systems.  More  than  this,  provided  P0  generates  P, 
a  natural  transformation  /  between  presheaves  is  open  iff  £lp0(f)  is  a  zig-zag  morphism 
between  the  associated  transition  systems  (cfi  Proposition  2). 

Proposition  7. ^Assume  P0  generates  P.  A  morphism  f  :  X  -4  Y  between  rooted 
presheaves  in  P  is  open  iff  £lp0(f)  :  £lp0(X)  -4  £lp0(Y)  is  a  zig-zag  morphism  be¬ 
tween  transition  systems  with  labelling  sets  P0. 

We  can  go  further  and  characterise  bisimulation  on  presheaves  as  a  form  of  bisimulation 
on  transition  systems  with  labels  in  a  generating  class  of  morphisms  P0. 

Definition:  Say  two  transition  systems  T\ ,  T2  with  a  common  label  set  are  back-and-forth 
bisimilar  iff  there  is  a  relation  R  between  their  states  such  that  iiRi2,  so  their  initial  states 
are  related,  and  whenever  siRs2y  then 

if  si  -2-4  s[  then  s2  -s-4  s2  and  s[  Rs2,  for  some  state  s2  of  T2j 

if  s2  -2— y  s2  then  s\  -s-4  s[  and  s[  Rs2 ,  for  some  state  s[  of  Ti, 

if  s[  -2->-  si  then  s2  -^-4  s2  and  s[Rs29  for  some  state  s2  of  T2,  and 

if  s2  — — >•  s2  then  s[  -2-4  si  and  s[  Rs2,  for  some  state  s[  of  T\. 

Propositions,  Let  Xi,X2  be  presheaves  over  P.  Assume  Po  is  a  subclass  of  mor¬ 
phisms  generating  P.  The  presheaves  Xi ,  X2  are  P  -bisimilar  iff  their  transition  systems 
£lp0  {Xi),£lp0(X2)  are  back-and-forth  bisimilar. 

Remark:  Though  this  result  is  presented  in  a  different  guise  it  consists  essentially  of 
Lemma  17  in  [8]  characterising  bisimulation  between  rooted  presheaves  as  strong  path 
bisimulation. 
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Warning:  This  result  should  not  be  interpreted  in  the  broader  sense  that  we  advocate 
back-and-forth  bisimulation  as  the  appropriate  bisimulation  on  transition  systems.  In  fact, 
the  presheaves  in  L*  of  transition  systems  with  labelling  set  L,  obtained  by  the  canonical 
functor  from  transition  system  to  presheaves,  will  be  bisimilar  iff  the  original  transition 
systems  are  strongly  bisimilar  in  the  sense  of  Park  and  Milner. 

Example: 

Paths  as  strings:  When  we  specialise  to  the  (partial  order)  category  of  strings  L *,  the 
subcategory  of  rooted  presheaves  in  L*  is  equivalent  to  the  category  of  synchronisation 
trees.  Bisimulation  between  rooted  presheaves  in  L*  is  reduced  to  back-and-forth  bisimu¬ 
lation  based  on  extensions  of  strings  by  a  single  label.  Thus  bisimulation  between  rooted 
presheaves  coincides  with  back-and-forth  bisimulation  on  synchronisation  trees,  and  as  is 
well-known  [13]  this  coincides  with  Park  and  Milner’s  strong  bisimulation.  As  remarked 
above,  the  bisimulation  on  transition  systems  induced  by  the  canonical  functor  to  L*  is 
strong  bisimulation. 

Paths  as  pomsets:  Two  subcategories  of  rooted  presheaves  are  of  interest,  those  over  path 
categories  Pom/,  and  Pom£. 

In  the  case  of  bisimulation  between  presheaves  over  Pom/,  it  suffices  to  consider 
“atomic”  prefix  and  augmentation  morphisms.  Presheaves  of  event  structures  under  the 
canonical  embedding  are  bisimilar  iff  the  event  structures  are  strong  history-preserving 
bisimilar  (see  [8]  for  the  proof). 

Just  for  the  moment,  consider  the  full  subcategory  of  event  structures,  over  labelling  set 
L ,  where  morphisms  r)  :  E  — ¥  Ef  are  further  constrained  to  satisfy: 

if  x  is  a  configuration  of  E,  then  rjx  is  a  configuration  of  E\  and  the  restriction  of  t) 
from  x  to  7]x  is  an  isomorphism  of  pomsets. 

((-Here  we  identify  a  configuration  of  an  event  structure  E  with  its  pomset  structure 
induced  by  E-)) 

We  call  such  morphisms  prefix  morphisms  because  they  generalise  their  namesakes  on 
pomsets.  The  canonical  functor  from  the  category  of  event  structures  with  prefix  mor¬ 
phisms,  to  rooted  presheaves  in  Pom£  is  full  and  faithful  (because  the  category  of  pomsets 
with  prefix  morphisms  is  dense  in  the  category  of  event  structures  with  prefix  morphisms). 
Under  it  two  event  structures  give  rise  to  bisimilar  presheaves  iff  they  are  strong  history¬ 
preserving  bisimilar.  This  is  essentially  because  if  we  look  at  the  transition  system  of  the 
presheaf  obtained  from  an  event  structure,  its  states  will  correspond  to  configurations  of 
the  event  structure. 

Thus,  strong  history-preserving  bisimulation  of  event  structures  coincides  with  bisimu¬ 
lation  of  the  canonical  presheaves  (obtained  by  the  canonical  embedding)  in  the  presheaves 
Pom l,  and  also  with  bisimulation  between  the  canonical  presheaves  over  just  Pom£, 
where  we  restrict  to  simply  prefix  morphisms  of  pomsets  and  event  structures.  In  investi¬ 
gating  the  bisimilarity  of  event  structures  it  suffices  to  consider  just  “atomic”  prefix  mor¬ 
phisms  in  Pom£  where  a  single  new  event  is  adjoined. 

6.  Logic  and  Game  Corollaries 

By  characterising  bisimulation  on  presheaves  as  back-and-forth  bisimulation  on  their 
associated  transition  systems  we  can  connect  with  logic  and  game  characterisations  of 
bisimulation  of  the  kind  discussed  in  [12]  (for  logic)  and  [19]  (for  games  and  logic). 

6. 1 .  A  specification  logic.  Assume  the  path  category  P  is  a  small  subcategory  with  initial 
object  L  Let  Po  be  a  subclass  of  morphisms  of  P. 
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Define  Po -assertions  by: 

A  (m)A  \  ( m)A  |  ~>A  \  Aj 

i€  J 

where  m  is  a  morphism  in  P0,  and  J  is  an  indexing  set,  possibly  empty  and  not  restricted 
to  being  finite.  The  modality  (m)  is  a  “backwards”  modality,  while  (m)  is  a  “forwards” 
modality.  We  define  the  semantics  with  respect  to  a  transition  system  with  labelling  set 

P0: 

•  s  (=  (m)A  iff  3 s'.  s  m  >  s'  and  s'  |=  A 

•  s  (m)A  iff  3s'.  s'  s  and  s'  \=  A 

•  the  boolean  operations  receive  their  expected  meanings. 

The  logic  is  but  a  step  away  from  Hennessy-Milner  logic,  well-known  to  be  character¬ 
istic  for  strong  bisimulation,  and  the  proof  is  virtually  the  same  (see  [12,  8]). 

Theorem  9.  Let  Po  generate  P.  Two  rooted  presheaves  in  P  are  bisimilar  iff  their  P0- 
transition  systems  satisfy  the  same  assertions. 

Example:  We  determine  a  satisfaction  relation  for  synchronisation  trees  and  event  struc¬ 
tures  via  their  canonical  embeddings  in  presheaf  categories  L*y  Pom^  and  Pom[;  for  a 
more  direct  definition  of  the  satisfaction  relation  for  these  concrete  models,  based  on  their 
paths — see  [8]. 

Paths  as  strings:  Traditional  Hennessy-Milner  logic  arises  by  reducing  the  seemingly 
richer  logic  based  on  all  extension  morphisms  in  L *.  Firstly,  as  remarked  earlier  we  can 
restrict  to  just  the  forwards  modalities;  for  synchronisation  trees  back-and-forth  bisimula¬ 
tion  amounts  to  strong  bisimulation.  Because  extensions  by  a  single  symbol  are  enough  to 
generate  the  category  of  strings  L *,  it  suffices  in  getting  a  logic  characteristic  for  bisim¬ 
ulation  on  synchronisation  trees  to  restrict  to  forward  modal  assertions  of  the  form  (b)A 
where  6  is  a  single  label;  specifying  the  label  b  together  with  the  domain  of  the  morphism 
is  enough  to  determine  the  morphism  in  the  path  category. 

Paths  as  pomsets:  Bisimulation  between  rooted  presheaves  over  Pomx,  or  Pom[  is  char¬ 
acterised  by  satisfaction  of  assertions  with  modalities  labelled  by  “atomic”  morphisms. 
The  category  of  event  structures,  with  labelling  set  L,  with  prefix  morphisms  embeds 
canonically  in  Pom£.  So  strong  history-preserving  bisimulation  of  event  structures  is 
characterised  by  logic  with  forwards  and  backwards  modalities  labelled  by  “atomic”  pre¬ 
fix  morphisms.  In  the  case  where  the  event  structures  have  no  autoconcurrency  (i.e.  no 
concurrent  events  with  the  same  label)  the  labels  associated  with  the  modalities  can  be 
simplified  to  single  labels — see  [14]. 

6.2.  Games  on  presheaves.  Assume  again  that  the  path  category  P  is  a  small  subcategory 
with  initial  object  /,  and  that  Po  be  a  subclass  of  morphisms  of  P. 

Viewing  presheaves  as  transition  systems,  we  may  also  lift  existing  notions  of  games  for 
transition  systems  to  presheaves.  As  an  example  we  adopt  here  a  back-and-forth  version  of 
the  games  for  transition  systems  defined  by  e.g.  [19],  well  known  to  be  characteristic  for 
strong  bisimulation. 

Let  To  =  (So ,  2*o ,  Lq  ,  tran0)  and  T\  =  (5i ,  i\ ,  Li ,  tram )  be  two  transition  systems.  The 
game  G(To,T\)  played  by  two  players  (I  and  II)  is  defined  as  follows.  The  configurations 
of  the  game  consist  of  pairs  of  states  (s0  E  So,  $i  E  Si)  with  (i0,  ii)  as  the  starting  con¬ 
figuration.  A  play  consists  of  a  sequence  of  alternating  moves  by  the  two  players  (Player  I 
making  the  first  move),  where  a  move  consists  of  a  choice  of  a  transition  from  one  of  the 
systems,  according  to  the  following  game  rules: 
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At  configuration  (s0 ,  s\ ) 

-  either  Player  I  chooses  a  transition  so  s'0l  after  which  Player  II  chooses  a 

transition  si  -2— >  s[,  and  the  game  continues  at  configuration  ($'0j  $!)♦ 

-  or  Player  I  chooses  a  transition  si  -£-»  s[ ,  after  which  Player  II  chooses  a  transition 
so  -JL->  Sq,  and  the  game  continues  at  configuration  (s'0,  s^), 

-  or  Player  I  chooses  a  transition  s'0  >•  s0 ,  after  which  Player  II  chooses  a  transition 

s[  si,  and  the  game  continues  at  configuration  (s'0,  s[), 

-  or  Player  I  chooses  a  transition  s[  si ,  after  which  Player  II  chooses  a  transition 
s'0  -2— >  so,  and  the  game  continues  at  configuration  (sq,  s[). 

Player  I  wins  a  play  if  Player  II  gets  stuck,  i.e.  at  some  point  cannot  match  a  move  by 
Player  I  according  to  the  rules  of  the  game.  All  other  plays  are  won  by  Player  II,  i.e.  all 
infinite  plays,  and  plays  where  Player  I  at  some  point  cannot  make  a  move.  A  (history-free) 
strategy  for  a  player  is  a  set  of  rules  which  for  each  configuration  tells  the  player  how  to 
proceed,  i.e .  for  Player  II  a  rule  will  associate  to  each  configuration  and  a  choice  of  back  or 
forth  transition  in  one  of  the  systems  by  Player  I,  a  set  of  matching  transitions  in  the  other 
system.  A  strategy  is  winning  for  a  player,  if  he  or  she  wins  every  play  played  according 
to  the  strategy. 

Intuitively,  the  two  players  have  different  goals  in  game  G(T0,Ti):  Player  I  wants 
to  show  that  the  two  transition  systems  are  distinguishable,  Player  II  that  they  are  not. 
Viewing  presheaves  as  transition  systems  notion  of  distinguishable  is  determined  by: 

Theorem  10,  Let  Po  generate  P.  Two  rooted  presheaves  in  P  are  bisimilar  iff  Player  II 
has  a  winning  strategy  in  the  game  defined  by  their  two  P0 -transition  systems. 

This  theorem  follows  from  Theorem  8  by  essentially  the  proof  of  the  corresponding 
theorem  for  transition  systems  from  [19]. 

Example:  Games  for  synchronization  trees  and  event  structures  are  obtained  from  their 
canonical  embeddings  in  presheaf  categories. 

Paths  as  strings:  We  obtain  the  original  Stirling  games  characteristic  for  synchronization 
trees  in  the  same  way  we  obtained  the  original  Hennessy-Milner  logic  above.  First  of  all, 
from  [13]  we  can  restrict  the  games  to  only  forwards  moves,  i.e.  transitions  labelled  by 
extension  morphisms.  Secondly,  from  the  theorem  above  we  may  restrict  games  to  allow 
only  moves  involving  extension  with  a  single  symbol,  and  finally  such  a  morphism  in  the 
path  category  is  determined  by  its  domain  and  the  label  of  the  extended  single  symbol. 
Paths  as  pomsets:  Bisimulation  between  rooted  presheaves  over  Pom t  or  PomJ,  is  char¬ 
acterised  by  games  with  moves  restricted  to  transitions  labeled  by  “atomic”  morphisms. 
We  may  obtain  games  for  event  structures  via  their  canonical  embedding  in  Pom[,  and 
hence  we  get  that  games  with  moves  restricted  to  forwards  and  backwards  transitions  la¬ 
belled  by  “atomic”  prefix  morphisms  are  characteristic  for  strong  history-preserving  bisim¬ 
ulation  of  event  structures. 

7.  Concluding  Remarks 

So  are  presheaves  just  transition  systems?  No,  they  are  really  much  more.  While  it  can 
provide  helpful  intuition  to  think  of  presheaves  as  transition  systems,  presheaves  possess 
a  great  deal  of  mathematical  structure,  which  has  already  proved  useful,  or  is  potentially 
useful.  For  instance,  there  are  results  like  that  of  [5]  showing  that  constructions  obtained 
from  certain  left  Kan  extensions  automatically  preserve  open  maps,  and  observations  like 
that  of  [23],  that  moving  to  the  category  of  profunctors ,  essentially  presheaves  acting  as 
morphisms,  we  can  begin  to  tackle  higher-order  features  like  process-passing;  in  recent 
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work  there  appear  to  be  technical  advantages  in  viewing  profunctors  as  transition  systems. 
More  speculatively,  we  can  hope  that  the  fact  that  presheaves  form  a  topos  will  become 
helpful. 
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On  topological  hierarchies  of  temporal  properties 

Christel  Baier  and  Marta  Kwiatkowska 


Abstract.  The  classification  of  properties  of  concurrent  programs  into  safety 
and  liveness  was  first  proposed  by  Lamport  [20].  Since  then  several  characteri¬ 
zations  of  hierarchies  of  properties  have  been  given,  see  e.g.  [3,  18,  7,  19];  this 
includes  syntactic  characterizations  (in  terms  classes  of  formulas  of  logics  such 
„as  the  linear  temporal  logic)  as  well  as  extensional  (as  sets  of  computations  in 
some  abstract  domain).  The  latter  often  admits  a  topological  characterization 
with  respect  to  the  natural  topologies  of  the  domain  of  computations.  We  in¬ 
troduce  a  general  notion  of  a  linear  time  model  of  computation  which  consists 
of  partial  and  completed  computations  satisfying  certain  axioms.  The  model  is 
endowed  with  a  natural  topology.  We  show  that  the  usual  topologies  on  strings, 
Mazurkiewicz  traces  and  pomsets  arise  as  special  cases.  We  then  introduce  a 
hierarchy  of  properties  including  safety,  liveness,  guarantee,  response  and  per¬ 
sistence  properties,  and  show  that  our  definition  subsumes  the  hierarchies  of: 
Alpern  &:  Schneider  [3];  Chang,  Manna  &  Pnueli  [7];  and  Kwiatkowska,  Peled 
&  Penczek  m  Syntactic  characterizations  of  the  properties  in  the  hierarchy 
in  terms  of  temporal  logic  are  also  studied. 


1.  Introduction 

The  classification  of  properties  of  concurrent  programs  into  safety  and  liveness 
was  first  proposed  by  Lamport  [20].  According  to  the  informal  intuition  intro¬ 
duced  there,  safety  properties  assert  that  “nothing  bad  happens” ,  whereas  liveness 
properties  ensure  that  “something  good  will  happen”.  Thus,  a  safety  property  is 
satisfied  in  a  program  if  and  only  if  at  no  point  during  its  execution  something 
“bad”  happens.  Examples  of  safety  properties  are:  mutual  exclusion  (where  the 
bad  thing  is  two  processes  being  in  their  critical  sections  at  the  same  time),  deadlock 
freedom  (the  bad  thing  is  deadlock,  i.e.  a  state  in  which  no  progress  can  be  made) 
or  partial  correctness  (where  the  bad  thing  is  violating  the  postcondition  assuming 
the  execution  started  in  a  state  satisfying  the  precondition).  Safety  properties  are 
proved  by  means  of  arguments  involving  invariants;  such  arguments  are  usually  too 
weak  to  guarantee  that  something  will  happen  at  all  (e.g.  partial  correctness  is  no 
guarantee  of  termination). 

In  contrast  to  safety,  proofs  of  liveness  properties  often  employ  well-founded 
induction.  A  liveness  property  states  that  at  some  point  during  the  execution  the 
program  enters  a  desirable  state.  Termination  is  a  typical  liveness  property;  in  the 
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context  of  a  mutual  exclusion  protocol  it  is  the  statement  that  a  process  trying  to 
enter  its  critical  section  will  eventually  be  allowed  to  enter.  Some  authors  include 
also  starvation  freedom  (every  process  ready  to  make  progress  infinitely  often  is 
allowed  to  do  so  infinitely  often)  within  the  class  of  liveness  properties;  here  the 
desirable  state  (the  process  making  progress)  has  to  be  entered  infinitely  often. 

Apart  from  the  underlying  proof  methodology,  the  distinction  between  safety 
and  liveness  can  be  made  at  other  levels  as  well.  This  includes  syntactic  charac¬ 
terizations,  i.e.  classes  of  formulas  that  denote  the  given  properties  (e.g.  safety 
is  stated  in  terms  of  the  ‘always’  modality  in  temporal  logics,  whereas  liveness  in 
terms  of  ‘eventually’),  see  e.g.  [23,  7,  19];  automata-theoretic  characterizations 
(i.e.  classes  of  automata  which  accept  precisely  the  properties  of  a  given  class), 
see  e.g.  [4,  23,  7];  and  extensional  characterizations  as  certain  sets  of  computa¬ 
tions  in  some  domain,  see  e.g.  [3,  18,  15,  23,  7,  19].  The  latter  often  admit 
the  corresponding  topological  characterization  for  some  topology  on  the  domain  of 
computations. 

While  all  concerned  agree  that  safety  properties  are  the  closed  sets,  disagree¬ 
ment  between  what  precisely  constitutes  a  liveness  property  in  an  abstract  domain 
of  computations  persists.  For  example,  Alpern  k  Schneider  [3],  working  with  the 
Cantor  topology  in  the  domain  of  infinite  sequences  of  states,  define  liveness  as  the 
dense  sets.  In  contrast,  Chang,  Manna  k  Pnueli  [7],  see  also  [23,  8],  who  work 
with  the  same  domain  but  focus  on  the  syntactic  classes  of  properties  expressed 
in  Linear  Time  Temporal  Logic  (LTL),  formulate  a  finer-grain  hierarchy  of  four 
classes  of  properties  ( safety ,  guarantee ,  response  and  persistence)  and  show  that 
they  correspond  to  the  two  lower  levels  of  the  Borel  hierarchy;  they  also  show  that 
the  Alpern  k  Schneider  characterization  is  orthogonal  to  their  hierarchy.  When 
considering  a  partial  order  semantic  domain  of  computations,  e.g.  Mazurkiewicz 
traces,  pomsets,  etc,  together  with  a  partial  order  temporal  logic,  the  picture  com¬ 
plicates  further,  as  the  natural  topologies  of  such  domains  (the  relativised  Scott 
topology)  are  coarser  than,  and  need  not  coincide  with,  their  metric  topologies1; 
only  certain  aspects  of  the  hierarchy  of  [7]  generalise  to  this  case.  For  example, 
in  [18,  15],  where  the  domain  of  Mazurkiewicz  traces  is  used,  liveness  is  defined 
as  a  G^-set,  and  fairness  as  a  dense  G^-set.  In  [19]  this  is  developed  further  to  a 
hierarchy  of  properties  which  reduces  to  the  Chang,  Manna  k  Pnueli  hierarchy  by 
considering  a  syntactic  classification  in  the  partial  order  temporal  logic  GISTL,  to¬ 
gether  with  a  corresponding  topological  characterization  in  terms  of  the  relativised 
Scott  topology.  While  several  aspects  of  [7]  generalise  to  the  partial  order  case, 
the  automata-theoretic  characterization  does  not,  and  only  a  subset  of  formulas  of 
GISTL  is  considered. 

This  paper  aims  to  define  hierarchies  of  properties  in  terms  of  an  abstract, 
axiomatically  given,  semantic  domain  of  computations,  which  is  a  common  gener¬ 
alisation  of  domains  such  as  Mazurkiewicz  traces  [24],  pomsets  [29]  or  partial  order 
executions  [13].  The  starting  point  is  a  linear  time  model  A,  i.e.  a  semantic  domain 
A  subdivided  into  the  ‘finite  elements’  (the  set  JC(A)  of  partial  computations)  and 
‘infinite  elements’  (the  set  A  of  complete  computations).  Partial  computations  can 
be  thought  of  as  finite  execution  fragments  of  complete  computations;  we  suppose 
the  existence  of  a  mapping  x  »->•  K(x)  which  assigns  to  each  computation  xe! 


lThis  problem  does  not  arise  in  the  Cantor  topology:  it  is  simultaneously  Hausdorff  and  the 
Scott  topology  of  the  finite  and  infinite  sequences  relativised  to  the  maximal  (infinite)  sequences. 
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the  set  of  its  partial  computations.  The  behaviour  of  a  program  is  denoted  by  the 
set  of  its  (complete)  computations.  A  (complete)  computation  of  a  program  P  de¬ 
notes  a  possible  behaviour  of  P  which  arises  by  resolving  all  the  non-deterministic 
choices  in  advance.  If  there  is  a  non-deterministic  choice  in  a  program  then  ex¬ 
actly  one  computation  will  record  the  specific  choice  made  in  that  execution  (i.e. 
computations  do  not  contain  branches).  For  convenience,  we  assume  that  all  ter¬ 
minating  computations  ;  re  modelled  by  the  complete  (infinite)  elements  of  A;  this 
can  be  achieved  by  extending  each  terminating  computation  with  infinitely  many 
occurrences  of  a  special  action  which  does  not  affect  the  state  of  the  system. 

Observe  that  A  admits  both  interleaving  and  partial  order  (i.e.  ‘true  concur¬ 
rency’)  models,  but  does  not  faithfully  represent  branching  behaviour.  In  inter¬ 
leaving  models  -  where  parallelism  is  reduced  to  non-determinism  and  sequential 
composition  -  no  distinction  is  made  between  non-determinism  arising  from  paral¬ 
lelism  and  that  arising  from  explicit  choice.  In  contrast  to  this,  such  distinctions 
can  be  made  in  true  concurrency  models;  there,  the  execution  of  concurrent  events 
can  happen  in  any  order  or  in  parallel.  Synchronization  among  processes  is  treated 
in  the  same  way  as  explicit  non-determinism.  Hence,  in  interleaving  models  the 
linearization  of  a  computation  is  uniquely  determined,  whereas  in  true  concurrency 
models  there  may  exist  more  than  one  linearization  of  a  computation  (which  differ 
in  the  order  of  concurrent  events). 

For  a  fixed  model  A  a  property  is  any  subset  of  2A  (consisting  of  those  programs 
which  are  assumed  to  have  this  property).  We  suppose  that  the  decision  as  to  which 
of  the  possible  computations  is  executed  is  made  by  the  environment,  and  not  by 
the  program  itself.  Hence,  in  order  to  prove  the  correctness  of  a  program  one  has 
to  show  that  all  computations  behave  well.  For  this  reason  we  suppose  that  the 
properties  under  consideration  are  of  the  form  Et  =  {  P  G  2A  :  P  C  T  }  where 
T  is  a  subset  of  A  which  consists  of  those  computations  which  behave  well.  In  the 
sequel  we  refer  to  any  subset  T  of  A  as  a  property. 

In  an  abstract  model  A ,  following  [7,  19],  we  define  a  hierarchy  of  four  types 
of  properties  which  can  be  verified  by  observing  finite  execution  fragments:  safety, 
guarantee,  response  and  persistence  properties.  This  is  achieved  by  means  of  op¬ 
erators  A ,  £,  1Z  and  V  that  assign  to  each  finitary  property  F  (i.e.  F  C  IC(A))  a 
subset  of  A.  For  example,  a  safety  property  asserts  that  all  finite  approximations 
fulfill  a  certain  finitary  property  F  (i.e.  a  safety  property  consists  of  those  computa¬ 
tions  x  such  that  K{x)  C  P),  while  a  guarantee  property  states  that  all  executions 
may  pass  a  state  which  satisfies  a  certain  finitary  property  F  (i.e.  a  guarantee 
property  consists  of  those  computations  x  where  IC(x)  fl  F  ^  0.).  Recurrence  1Z 
and  persistence  V  are  defined  similarly.  Furthermore,  we  endow  the  model  with 
natural  topologies  (order-theoretic  and,  in  the  presence  of  the  length  function,  a 
metric)  and  give  the  corresponding,  topological,  characterizations  of  the  classes  of 
properties  as  described  above.  Finally,  we  compare  our  results  with  existing  hier¬ 
archies  defined  for  the  domains  of  strings  and  Mazurkiewicz  traces.  We  show  that 
the  result  of  [3]  that  safety,  resp.  liveness,  properties  axe  the  closed,  resp.  dense, 
subsets  carries  over  to  arbitrary  linear  time  models  A.  In  addition,  the  hierarchy 
of  [7]  corresponds  to  ours,  while  that  of  [19]  does  not  w.r.t.  the  operators  1Z  and 
V  unless  the  definition  of  response  in  [19]  is  appropriately  strengthened. 

Our  definitions  are  general  enough  to  admit  the  transfer  of  our  results  to  other 
interleaving,  as  well  as  the  partial  order,  models,  e.g.  pomsets. 
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The  paper  is  organized  as  follows.  Section  2  presents  the  axiomatization  of 
our  model  A ,  and  in  Section  2.1  we  show  that  the  semantic  domains  of  strings, 
Mazurkiewicz  traces  and  pomsets  are  linear  time  models  in  our  sense.  Later  we 
show  that  linear  time  models  as  defined  here  are  closely  related  to  algebraic  dcpo’s 
(directed-complete  partial  orders)  and  metric  spaces  (section  2.2  and  2.3).  In  section 
3  we  define  the  properties  of:  safety,  liveness,  guarantee,  response  and  persistence, 
and  give  a  topological  characterization  of  each  class  of  properties.  In  section  4 
we  show  how  temporal  logic  can  be  used  to  describe  properties  in  any  linear  time 
model.  We  intrepret  the  linear  time  logic  LTL  [7]  over  the  ‘interleaving  models’ 
(where  the  next  step  of  a  computation  in  a  given  state  is  uniquely  determined,  see 
section  4.2)  and  the  partial  order  temporal  logic  I  STL*  [13]  over  ‘true  concurrency 
models’  (where  there  might  be  several  alternatives  -  arising  from  the  way  in  which 
concurrent  events  are  executed  -  to  proceed  in  a  given  state,  see  section  4.3). 

2.  Linear  time  models 

In  this  section  we  define  the  notion  of  an  abstract  linear  time  model.  We  then 
show  (Section  2.2)  that  linear  time  models  in  our  sense  can  be  endowed  with  a  nat¬ 
ural  ordering  and  that  (under  additional  assumptions)  they  form  algebraic  dcpo’s. 
Furthermore,  in  Section  2.3  we  consider  the  class  of  models  equipped  with  a  length 
function  (which  counts  the  number  of  atomic  steps  that  a  partial  computation  has 
to  perform)  and  show  that  they  can  be  endowed  with  a  distance.  We  assume  that 
the  reader  is  familiar  with  the  basic  notions  of  domain  theory,  see  e.g.  [2],  and 
metric  spaces,  see  e.g.  [10]. 

Definition  2.1.  A  linear  time  model  is  a  set  A  which  is  divided  into  disjoint 
subsets  )C(A)  and  A ,  together  with  a  mapping  x  fC(x)  which  assigns  to  each 
x  e  A  a  subset  K(x)  of  K{A)  such  that: 

(1)  If  £  E  K(x)  then  £(£)  C  K{x). 

(2)  For  each  £  E  K,(A)  there  is  some  x  E  A  with  £  E  /C(x). 

(3)  £€/C(£)  for  each  £  E  K{A). 

(4)  If  K(x)  =  K{y)  then  x  =  y. 

(5)  For  each  x  E  A  there  exists  an  x-path,  i.e.  a  sequence  (£n)n>o  in  /C(x)  such 
that 

£(&)  c  /C(6)  c  Kfa)  C  ...  and  K(x)  =  |J  £(€*). 

n>0 

The  elements  of  )C(A)  should  be  thought  of  as  partial  computations  (the  ‘finite’ 
elements),  and  the  elements  of  A  as  complete  computations,  or  briefly  computa¬ 
tions  (the  ‘infinite’,  or  ‘maximal’  elements).  The  set  K(x)  is  the  set  of  all  partial 
computations  of  x.  Condition  (1)  states  that  if  £  is  a  partial  computation  of  some 
computation  x  then  all  partial  computations  of  £  are  partial  computations  of  x.  (2) 
ensures  that  only  those  partial  computations  are  considered  which  are  execution 
fragments  of  complete  computations,  or,  in  other  words,  which  can  be  extended 
to  a  complete  computation.  (3)  says  that  each  partial  computation  approximates 
itself.  (4)  ensures  that  different  computations  can  be  distinguished  by  their  partial 
computations.  By  condition  (5)  each  complete  computation  can  be  approximated 
by  its  partial  computations. 

Each  x-path  should  be  viewed  as  a  fragment  of  a  possible  execution  (lineariza¬ 
tion)  of  x:  if  £oi£i>£2j  . . .  is  an  x-path  we  think  of  £*  as  an  intermediate  state 
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which  the  execution  reaches  after  performing  the  partial  computation  described  by 

It  might  be  the  case  that  there  are  additional  intermediate  states  which  are  not 
represented  by  an  element  of  the  x-path.  When  considering  the  next  step  relation 
as  in  Section  4,  which  determines  the  possible  next  steps  in  an  intermediate  state, 
the  executions  of  a  computation  x  are  defined  to  be  those  x-paths  which  obey  the 
next  step  relation.  In  this  case  the  x-paths  are  exactly  the  subsequences  of  the 
executions  of  x.  The  criterion  for  an  x-path  to  approximate  x  (in  the  sense  that 
U  /C(£n)  =  /C(x))  imposes  a  fairness  (or  maximal  progress)  constraint,  since  every 
partial  computation  must  be  subsumed  by  a  partial  computation  of  the  x-path,  i.e. 
each  action  which  is  performed  in  some  execution  is  executed  in  every  execution. 
This  corresponds  to  the  notion  of  an  ‘acceptable  path’  as  in  [13],  ‘maximally’  of 
[18],  or  ‘justice’  in  the  sense  of  [30].  We  extend  the  notion  of  an  x-path  to  partial 
computations  as  follows.  If  f  E  IC(A)  then  a  f-path  is  a  sequence  (£n)n>o  in  K(A) 
such  that 

/C(&)  c  mx)  C  /C(6)  C  ...  C  IC(tn)  =  K(£n+1)  =  ...  =  £(£)• 

DEFINITION  2.2.  A  linear  time  model  with  an  initial  state  is  a  linear  time 
model  A  satisfying: 

(6)  There  exists  J_  E  K,{A)  with  IC(±)  =  {_L}  and  _L  E  /C(x)  for  all  x  E  A. 

Because  of  conditions  (3)  and  (4),  the  element  JL  in  condition  (6)  is  unique 
if  it  exists.  _L  can  be  interpreted  as  the  partial  computation  which  represents 
the  state  in  which  no  action  has  been  performed.  By  our  intrepretation  of  the 
partial  computations  as  the  intermediate  states  of  executions  the  element  _L  can 
be  considered  as  the  (common)  initial  state.  (This  explains  the  notion  ‘linear  time 
models  with  an  initial  state’). 

2.1.  Concrete  examples  of  linear  time  models.  Throughout  the  paper 
we  illustrate  the  use  of  our  framework  by  means  of  examples  defined  for  the  linear 
time  models  of  strings ,  Mazurkiewicz  traces  and  pomsets .  In  this  section  we  recall 
basic  definitions. 

We  suppose  E  to  be  a  countable  set  of  atomic  actions  including  special  symbols 
yj  and  S  which  model  termination  and  deadlock.  Both  y/  and  5  are  assumed  not 
to  affect  the  state  of  the  system,  and  which  cannot  be  performed  except  when  the 
system  has  reached  its  final  state. 

2.1.1.  The  domain  of  strings.  By  a  string  over  the  alphabet  E  we  mean  a  (finite 
or  infinite)  sequence  s  =  Qtoaxot2  ...  of  elements  in  E  such  that  either  the  actions 
yj  and  S  do  not  occur  in  s  or  there  is  some  k  >  0  such  that  a*  ^  i/,  S ,  for  all 
0  <  i  <  k  and  either  a*  =  yj  for  all  i  >  k  or  ot{  =  S  for  all  i  >  k.  Infinite  strings 
containing  yj  represent  successfully  terminating  computations,  those  containing  <5 
model  deadlocked  computations,  while  those  not  containing  any  occurrence  of  yj 
and  5  non-terminating  computations.  Finite  prefices  of  a  string  represent  its  partial 
computations.  E*  denotes  the  set  of  finite  strings  over  E,  E^  the  set  of  infinite 
strings  over  E.  A  =  E°°  is  a  linear  time  model  in  our  sense;  take  !C{A)  =  E*, 
A  =  Ew,  and  define  /C(x)  to  be  the  set  of  all  finite  prefices  of  x. 

If  x  E  E°°  then  x[n]  denotes  the  n-th  prefix  of  x.  (If  the  length  of  x  is  <  n  put 
x[n]  =  x.)  We  assume  E°°  to  be  endowed  with  the  usual  distance 

d(s,t)  =  inf  I  1  :  s[n]  =  t[n]  j 
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and  the  usual  prefix  order  (denoted  by  C).  Then  E°°  is  a  complete  ultrametric 
space  and  and  an  algebraic  dcpo.  The  finite  strings  are  the  compact  elements  in 
E°°  viewed  as  an  algebraic  dcpo.  E*  is  a  dense  subset  of  isolated  elements  in  E°° 
when  viewed  as  a  metric  space. 

2.1.2.  Mazurkiewicz  traces .  An  independency  relation  on  alphabet  E  is  an  ir- 
reflexive  and  symmetric  binary  relation  tCExE  such  that  y/  and  S  are  dependent 
on  every  action,  i.e.  ->(  a  i  yj)  A  -»(  a  i  5  )  for  all  a  G  E.  The  pair  (E,  t)  is  called 
a  concurent  alphabet.  The  independency  relation  i  identifies  those  actions  in  the 
system  which  can  happen  concurrently;  thus,  if  a  t  (3  then  a,  f3  are  independent 
actions  of  two  concurrent  processes  P  and  Q ,  i.e.  P  and  Q  cannot  communicate 
via  a  and  (3.  Let  =  [24,  17]  be  the  smallest  equivalence  relation  on  E°°  such  that 

whenever  s  G  E*,  t  G  E°°,  a,  /?  G  E,  a  i  (3  then  sa/3t  =  s/3at. 

A  trace  is  an  equivalence  class  [ s ]  of  a  string  s  G  E°°.  If  s  is  (in)finite  then  [s]  is 
called  (in)finite.  The  length  of  a  trace  is  the  length  of  one  of  its  representatives. 
[E*]  denotes  the  set  of  finite  traces,  while  [Ew]  the  set  of  infinite  traces.  Clearly, 
[E°°]  =  [E*]  U  [E^]  forms  a  linear  time  model  in  our  sense;  to  see  this  take  the 
finite  traces  as  partial  computations,  the  infinite  traces  as  complete  computations, 
and  define  the  set  K(x)  of  partial  computations  of  x  as  consisting  of  all  those  finite 
traces  [s]  where  s  is  a  prefix  of  some  representative  of  x. 

If  Z  is  a  trace  then  x denotes  the  set  of  finite  traces  [s]  where  s  is  a  prefix 
of  some  representative  t  G  E°°  of  x  and  where  the  length  of  s  is  at  most  n.  As  in 
[17,  16],  we  consider  the  linear  time  model  [E°°]  of  traces  in  the  following  sense. 
We  suppose  [E°°]  to  be  equipped  with  the  prefix  order: 

x  C  y  <=>  3  s,t  G  E°°  s  □  t,  x  ~  [s],  y  =  [t\ 

Then  [E°°]  is  an  algebraic  dcpo  (see  e.g.  [17]),  with  finite  traces  being  the  compact 
elements.  Moreover,  [E°°]  also  has  an  associated  metric  d  given  by: 

d{x,y)  =  inf  |  -t  :  x(n)  =  j/(n)  j. 

Then  [E°°]  is  a  complete  ultrametric  space  and  [E*]  is  a  dense  subset  of  isolated 
elements  (see  [16]). 

2.1.3.  Pomsets.  Pomsets  (partially  ordered  multisets)  were  first  introduced  in 
[29],  Several  variants  of  pomsets  are  known  from  the  literature;  here  we  use  the 
notion  of  a  pomset  as  a  labelled  prime  event  structure  without  conflicts  in  the  sense 
of  [33].  The  underlying  partial  order  is  that  of  [33]  restricted  to  pomsets,  and  the 
underlying  metric  is  due  to  [5]. 

A  pomset  is  a  partially  ordered  set  (5,  <)  which  is  endowed  with  a  labelling 
function  l  :  S  — >  E  that  maps  the  elements  of  5  (called  events)  to  an  action  and 
such  that  either  all  events  are  labelled  with  actions  a  ^  i/,  J,  or  there  exists  an 
event  e  G  5  labelled  by  yj  or  S  such  that: 

•  e  t  =  {ef  G  S  :  e  <  e'}  is  totally  ordered  and  1(e)  =  Z(e')  for  all  events 
e'  G  e  f . 

•  No  event  e'  G  5,  e'  <  e,  is  labelled  by  y/  or  <5. 

By  a  finite  pomset  we  mean  a  pomset  where  the  underlying  partially  ordered  set 
is  finite.  Pomsets  represent  computations  in  the  following  sense.  The  execution  of 
an  event  e  G  E  means  the  execution  of  the  associated  action  1(e).  If  e  <  e*  (i.e. 
e  <  e'  and  e  /  e')  then  e  must  be  executed  before  ef.  If  e,  e'  are  independent 


ON  TOPOLOGICAL  HIERARCHIES  OF  TEMPORAL  PROPERTIES  7 

events  (i.e.  neither  e  <  e'  nor  e'  <  e)  then  e  and  e'  may  be  executed  in  parallel. 
In  addition,  we  require  that  each  event  is  reachable,  i.e.  for  each  e  £  E  the  set  of 
predecessors  of  e  is  finite.  Infinite  (non- terminating)  computations  are  represented 
by  infinite  pomsets  where  no  event  is  labelled  by  yj  or  S.  Terminating  computations 
correspond  to  infinite  pomsets  where  some  (and  hence  almost  all)  events  are  labelled 
by  y/.  Deadlocked  computations  are  modelled  by  those  infinite  pomsets  in  which 
almost  all  events  are  labelled  by  d.  Partial  computations  are  denoted  by  finite 
pomsets. 

If  x  =  (5,  <,  l)  is  a  pomset  and  e  £  5  then  the  depth  of  e  in  x  is  given  by: 
depthx(e)  =  sup  {  n  :  3ci,...  ,en  €  S  e\  <  ...  <  en  =  e  } 

If  S'  C  S  is  left-closed  (i.e.  whenever  e  £  S'  and  e'  <  e  then  e '  £  S')  then  we  define 
x\Sl  =  (S',  <RS'  xS',  l\S'). 

We  put  x[n]  =  x  \  S[n],  where  S[n]  =  {e  £  S  :  depthx(e)  <  n}.  Pom°°  denotes 
the  set  of  all  (finite  and  infinite)  pomsets,  and  Pom *  the  subset  of  finite  pomsets. 
For  convenience  we  assume  that  the  set  of  events  is  contained  in  a  fixed  countable 
set  Events 2 .  Clearly,  Pom°°  forms  a  linear  time  model  in  our  sense.  To  see  this 
take  Pom*  as  the  set  of  partial  computations  and  Pomu  =  Pom°°  \  Pom *  as  the 
set  of  complete  computations.  If  x  =  (S,  <,Z)  is  a  pomset  then  define  K{x)  to  be 
all  the  pomsets  x\S'  where  S'  is  a  finite  and  left-closed  subset  of  S.  Pom°°  can  be 
endowed  with  the  distance 

d(x,y)  =  inf  j  :  x[n]  =  y[n] 

and  the  partial  order  x  C  y  <=>  35  x  =  y\S.  Then  Pom°°  is  a  complete 

ultrametric  space  (see  e.g.  [5])  and  an  algebraic  dcpo.  The  compact  elements 
in  Pom°° ,  when  viewed  as  an  algebraic  dcpo,  are  the  finite  pomsets.  Since  the 
underlying  set  Events  is  countable,  the  set  5  of  events  of  a  pomset  is  also  countable. 
Hence,  for  each  pomset  x  the  set  of  finite  pomsets  £  with  £  C  x  is  countable  (since 
the  set  of  finite  subsets  of  a  countable  set  is  countable).  Pom *  is  a  dense  subspace 
of  isolated  elements  in  Pom°°  as  a  metric  space. 

2.2.  Linear  time  models  and  algebraic  dcpo’s.  The  relation  of  ‘being  a 
partial  computation  of’  on  linear  time  models  induces  a  partial  order  in  the  following 
sense.  Let  A  be  a  linear  time  model  and  define 

x  C  y  K{x)  C  K(y) 

Then  C  is  a  partial  order  on  A  (called  the  natural  order  on  .4).  The  partial  com¬ 
putations  of  A  are  the  compact  elements.  Conditions  (1)  and  (5)  of  Definition  2.1 
ensure  that  for  each  x  £  A  the  set  K{x)  is  an  ideal  (i.e.  left-closed  and  directed), 
and  x  is  the  least  upper  bound  of  /C(x).  In  linear  time  models  with  an  initial  state 
the  unique  element  _L  with  1  £  K(x)  for  all  x  £  A  is  the  bottom  element. 

Definition  2.3.  An  order-enriched  linear  time  model  is  a  linear  time  model 
A  with  an  initial  state  and  which  satisfies: 

(7)  For  each  directed  subset  X  of  IC(A)  there  exists  z  £  A  with 

/C(z)  =  (J  K(0. 


2This  assumption  is  essential  to  ensure  that  Pom°°  is  a  set. 
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The  following  two  theorems  show  that  order-enriched  linear  time  models  cor¬ 
respond  to  the  algebraic  dcpo’s  satisfying  the  condition  that  the  set  of  compact 
elements  below  any  element  is  countable. 

THEOREM  2.4.  Each  order- enriched  linear  time  model  A  is  an  algebraic  dcpo. 
K{A)  is  the  set  of  compact  elements  and  J_  the  bottom  element  K(x)  is  the  set  of 
compact  elements  (Ci.  Whenever  X  C  A  is  directed  then  the  (unique)  element 
z  E  A  with 

IC(z)  =  |J  K{x) 

x£X 

is  the  least  upper  bound  of  X. 

Proof.  We  only  show  that  for  each  directed  subset  X  of  A  the  least  upper 
bound  U  X  exists.  The  remaining  statements  are  easy  verifications.  Let  X  be  a 
directed  subset  of  X  and  let  K  —  Use*  £(x)-  Then  K  is  a  directed  subset  of 
X(A)  (this ^s  because  X  and  the  sets  K{x)  are  directed).  By  condition  (7)  there 
exists  z  E  A  with  /C(z)  =  £(£)•  It  is  easy  to  see  that  then  K{z)  =  K. 

Hence,  /C(x)  C  K{z)  for  all  x  E  X,  i.e.  z  is  an  upper  bound  of  X.  If  y  E  A  is  also 
an  upper  bound  of  X  then  K(x)  C  K{y)  for  all  x  E  X.  Thus,  K{z)  =  K  C  K(y) 
and  therefore  z  Cy.  Hence,  z  =  U  x.  □ 

Theorem  2.5.  If  D  is  an  algebraic  dcpo  such  that 

(i)  For  every  x  E  D  the  set  of  compact  elements  f  with  f  Qx  is  countable. 

(ii)  For  every  compact  element  f  there  exists  a  non-compact  element  x  ED  with 
(Cl 

Then  D  is  an  order- enriched  linear  time  model  where  the  natural  order  on  D  as  a 
linear  time  model  agrees  withthe  original  partial  order  on  D.  The  finite  elements 
are  the  compact  elements  in  D.  The  set  JC(x)  is  the  set  of  compact  elements  (Ci 

__  Proof.  We  define  X(D)  to  be  the  set  of  compact  elements  of  D  and  D  = 
D\fC(D).  Then  it  is  easy  to  see  that  conditions  (1),  (3),  (4),  (6)  and  (7)  are  satisfied. 
Condition  (2)  follows  by  (ii),  condition  (5)  by  (i)  and  the  fact  that  (j  K{x)  =  x. 

□ 

Example  2.6.  The  algebraic  dcpo’s  £°°,  [E°°]  and  Pom°°  satisfy  the  con¬ 
ditions  (i)  and  (ii)  of  Theorem  2.5,  and  hence  all  are  order-enriched  linear  time 
models. 

If  D  is  an  algebraic  dcpo  satisfying  condition  (i)  of  Theorem  2.5  then  D  can 
be  embedded  into  an  order-enriched  linear  time  model  A  such  that  for  each  x  ED 
the  set  K(x)  is  the  set  of  compact  elements  f  E  D  with  (Ci.  Notice  that  in  D 
condition  (2)  jnight  be  violated.  In  order  to  fulfill  condition  (2),  for  each  compact 
element  £  E  D  which  does  not  have  a  non-compact  upper  bound  in  D  we  create 
new  elements  (£,n)  where  n  E  IV0  U  {oo},  and  we  extend  the  original  partial  order 
C  on  D  as  follows:  C'  is  the  smallest  partial  order  on  A  (which  contains  D  and  the 
new  elements  (£,n))  which  satisfies 

£  c'  «,0)  c'  (£,i)  c!  ...  c;  (6 oo). 

Then  the  elements  (6_n),  n  E  Wo,  are  compact  in  A  and  (£,  oo)  is  a  non-compact 
upper  bound  of  £  in  A. 
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COROLLARY  2.7.  Each  ^-algebraic  cpo  D  can  be  embedded  into  an  order- 
enriched  linear  time  model  A  such  that  for  each  x  €  D  the  set  K(x)  is  the  set  of 
compact  elements  £  E  D,  f  C  x. 

2.3.  Linear  time  models  and  metric  spaces.  If  partial  computations  con¬ 
sist  of  executions  of  finitely  many  atomic  actions  then  we  have  a  natural  notion  of 
a  length  on  K,(A ):  the  length  of  a  partial  computation  f  is  the  maximum  number  of 
atomic  steps  which  an  execution  of  £  needs.  This  notion  is  similar  to  that  defined 
for  a  partial  order  in  [22],  We  show  that  linear  time  models  with  a  suitable  length 
function  are  metric  spaces. 

Definition  2.8.  A  length  function  on  a  linear  time  model  A  with  initial  state 
±  is  a  function 

H  :  IC(A)  -+  1N0 

such  that: 

(8)  |JL|  =  0  and  £E  IC(r})  implies  |£|  <  |7?|. 

(9)  For  each  x  E  A  there  exists  an  x-path  (fn)n>o  with  |£„|  =  min  {  |x|,  n  } 
for  all  n  >  0.  Here  we  put  |x|  =  oo  if  x  E  A. 

Condition  (8)  ensures  that  partial  computations  of  7)  do  not  require  more  steps 
than  7]  itself.  Condition  (9)  asserts  that  each  computation  x  can  be  approximated 
by  a  length- increasing  sequence  (fn)  of  partial  computations  of  x,  where  the  length 
of  £n  is  exactly  n  or  |x|.  Given  a  length  function  on  a  linear  time  model  A  we  put 

fCn(A)  =  {  e  €  K(A)  :  |£|  <  n  } 

and  Kn(x)  =  Kn{A)  Pi  /C(x).  Then 

d(x,y)  =  inf  |  :  ICn{x)  =  Kn{y)  j 

is  an  ultrametric  on  A.  Note  that  condition  (4)  ensures  that  c?(x,  y)  =  0  implies 
x  -  y. 

Notation  2.9.  If  ( M,d )  is  a  metric  space,  x  e  M  and  r  >  0  then  B(x,r) 
denotes  the  open  ball  with  centre  x  and  radius  r.  B(x,r)  denotes  the  closure  of 
B(x,r ),  i.e. 

B(x,r)  =  {y£M  :  d(x,y)<r}. 

Since  the  induced  distance  can  only  be  given  values  0  or  l/2n  for  some  natural 
number  n,  for  all  elements  x  of  a  linear  time  model  with  a  length  function  we  have 
that  f?(x,r)  =  B(x,l/2n)  where  n  =  0  if  r  >  1  and  n  is  the  unique  natural 

number  satisfying  l/2n  <r  <  l/2n_1  otherwise. 

LEMMA  2.10.  Let  A  be  a  linear  time  model  with  a  length  function .  Then  fC(A) 
is  a  dense  subset  of  A  and  all  elements  of  K{A)  are  isolated  in  A . 

In  general,  the  induced  metric  space  of  a  linear  time  model  with  a  length 
function  is  not  complete.  In  order  to  ensure  completeness  the  following  condition 
is  needed: 

(10)  If  (xn)n>o  is  a  sequence  in  A  with  Kn{xn)  =  /Cn(xn+ 1)  for  all  n  >0  then 
there  exists  x  G  A  with  K{x)  =  Kn{xn)  for  all  n  >  0. 
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Example  2.11.  The  linear  time  models  E°°  and  [E°°]  can  be  endowed  with 
the  length  function  which  assigns  to  each  finite  string/trace  its  usual  length.  On 
Pom°°  the  function 

|  *  |  :  Pom *  Wo,  |f|  =  max  {  depth^e)  :  e  is  an  event  in  f  } 

is  a  length  function.  In  all  three  cases  the  ultrametric  induced  by  the  underlying 
length  function  coincides  with  the  usual  metric  (cf.  Section  2.1). 

Theorem  2.12.  Let  M  be  an  ultrametric  space ,  M0  a  subspace  of~M  and  |  •  |  : 
M0  ->  W0  a  function  such  that: 

(i)  For  all  f  £  M0,  |f|  =  n,  there  exists  x  £  M  \  Mo  with  d(f,x)  <  l/2n. 

(ii)  For  each  x  £  M  itntfi  either  x  ^  Mo  or  |rc|  >  n  tfiere  exists  a  unique  element 
x[n]  £  Mq  with 

|x[n]|  =  n  and  d(  x[n],  x)  < 

We  put  f[n]  =  f  i/f  £  Mo,  |f|  <  n  and  |x|  =  oo  if  x 
linear  time  model  with  /C(M)  =  M0  and 

/C(x)  =  {  x[n)  :  n  >  0  }. 

In  addition ,  we  have  for  all  x,  y  £  M; 

(a)  x[n]  is  the  unique  element  £  £  fC(x)  with  |f|  =  min{|x|,n}. 

(b)  d(x,y)  <  l/2n  zjff  x[n]  =  y[n] 

(c)  {x[m])[n]  =  (x[n])[m]  =  x[n]  for  all  0  <  n  <  m 

(d)  \x\  =  sup  {  |f  |  :  f  £  /C(x)  } 

Proof.  Let  M  =  M  \  Mo.  (a),  (b),  (c)  and  (d)  are  easy  verifications. 
Conditions  (1)  and  (3)  are  satisfied  because  of  (c).  Condition  (2)  follows  by  (i), 
conditions  (5)  and  (9)  by  (ii),  condition  (8)  by  (d). 

To  see  that  (4)  holds,  let  x, y  be  such  that  /C(x)  =  £(?/),  then  x[n]  =  y[n]  for 
all  n  >  0.  This  is  because  of  (a).  Hence,  x  =  lim  x[n]  =  lim  y[n]  =  y.  □ 

Definition  2.13.  A  linear  time  model  with  a  length  function  satisfying  the 
conditions  (i)  and  (ii)  of  Theorem  2.12  is  called  metric-enriched . 

Example  2.14.  The  linear  time  model  E°°  and  the  linear  time  model  of  pom- 
sets  x  £  Pom°°  such  that  x[n]  £  Pom *  for  all  n  >  0  are  metric-enriched. 

In  Example  2.14  it  is  essential  that  we  deal  with  pomsets  whose  n-cuts  x[n]  are 
finite  (‘finitely  approximate’  pomsets  in  the  sense  of  [12]),  as  otherwise  condition 
(ii)  of  Theorem  2.12  would  be  violated  since  if  x  is  a  pomset  where  x[n]  is  infinite 
then  there  is  no  pomset  f  £  Pom*  with  |f|  =  n  and  d(x,f)  <  l/2n.  Condition 
(ii)  of  Theorem  2.12  is  also  violated  when  we  deal  with  the  linear  time  model  of 
Mazurkiewicz  traces  with  a  non-empty  independency  relation.  For  instance,  for  the 
trace  x  induced  by  the  string  s  =  a/3777 . . .  with  a  1  (3  there  does  not  exist  a 
finite  trace  f  of  length  1  with  d(x, f)  =  1/2.  This  is  because  K\{x)  contains  the 
traces  [a]  and  [/3],  and  the  distance  d(x,  [a])  =  d(x,  [/3])  =  1.  An  alternative  length 
function  for  traces  can  be  found  by  embedding  traces  into  pomsets;  with  this  length 
function  traces  form  a  metric-enriched  model. 


2n  ’ 

£  M  \  Mq.  Then  M  is  a 
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3.  Defining  properties  on  linear  time  models 

In  this  section  we  give  general  definitions  of  safety guarantee ,  response ,  per¬ 
sistence  and  liveness  properties.  Following  [3]  we  define  liveness  properties  to  be 
those  properties  T  C  A  such  that  each  partial  computation  £  £  /C(A)  has  a  com¬ 
plete  computation  x  £  T  which  is  above  it  in  the  ordering.  As  in  [7,  19],  we  define 
safety,  guarantee,  response  and  persistence  properties  by  operators  A,  £,  71  and  V 
acting  on  sets  of  partial  computations  (the  finitary  properties).  When  applied  to 
the  linear  time  model  E°°,  our  definitions  agree  with  those  of  [3,  7];  some  early 
work  due  to  Landweber,  see  e.g.  [32],  introduces  a  similar  topological  hierarchy  for 
accepting  conditions  of  automata  on  infinite  sequences.  We  show  that  the  hierarchy 
and  the  topological  characterizations  stated  in  [3,  7]  carry  over  to  arbitrary  linear 
time  models. 

For  simplicity  assume  from  now  on  that  A  is  a  fixed  linear  time  model.  If 


Ul 

then  F 

is  called  a  finitary  property .  Following 

[7]  we  put: 

A(F) 

=  { 

x  e  A 

K(x)  C  F  } 

£(F) 

=  { 

x  €  A 

K,(x)  n  F  ^  0  } 

K(F) 

=  { 

x  e  A 

there  exists  an  x-path  (£n)  with  £„ 

€  F  for  all  n  } 

V(F) 

=  { 

x  e  A 

if  (£„)  is  an  x-path  then  £n  € 

F  for 

almost  all  n  } 

and 

Ann(F) 

=  {£ 

e  JC(A)  : 

/C(£)  C  F},  £Rn(F)  =  {£  6 

IC(A) 

:/C(£)nF#0} 

A(F)1  £(F ),  V(F)  and  7 Z(F)  respectively  denote  the  sets  of  all  the  complete 
computations  x  such  that:  all  partial  computations  of  x  are  contained  in  F ;  some 
partial  computation  of  x  belongs  to  F;  whenever  (£n)  is  an  x-path  then  almost  all 
(£n)  belong  to  F;  and  there  exists  an  x-path  (£n)  such  that  infinitely  many  (£n) 
belong  to  F. 

The  above  definitions  of  A ,  £ ,  71  and  V  correspond  precisely  to  those  of  [7] 
when  applied  to  the  linear  time  model  of  strings.  In  the  linear  time  model  of 
traces,  our  definitions  of  the  operators  A  and  £  coincide  with  those  of  [19],  but  the 
definitions  of  71  and  V  do  not.  In  [19],  where  a  partial  order  temporal  logic  is  used, 
71(F)  is  defined  as  the  set  of  all  the  infinite  traces  whose  infinitely  many  prefices 
belong  to  F,  and  V(F)  as  the  set  of  all  the  infinite  traces  whose  almost  all  prefices 
belong  to  F.  This  is  not  compatible  with  our  definition  since  we  require  an  x-path 
to  approximate  x  (in  the  sense  that  x  is  the  least  upper  bound  of  a  x-path  w.r.t. 
the  natural  order).  For  instance,  let  F  be  the  set  of  all  finite  traces 

aa  . .  .a,  n  >  0. 

n 

Let  at/?  and  let  x  =  [(3aaot . . .  ].  Then  x  belongs  to  11(F)  in  the  sense  of  [19], 
but  x  £  H(F)  according  to  the  definition  in  this  paper.  The  operators  1Z  and  V  as 
defined  above  admit  an  alternative  definition  shown  below. 

Lemma  3.1.  LetFCJC(A).  Then: 

(a)  x  6  'F(F)  iff  for  every  £  6  K(x)  there  exists  £'  £  K(x)  n  F  with  £  6  £(£'). 

(b)  x  €  V(F)  iff  there  exists  £  6  K(x)  such  that  £'  6  K(x),  £  €  £(£')  implies 
£'  €  F. 
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PROOF.  (a)  If  x  £  7£(F)  then  there  exists  an  x-path  (£n)  in  F.  Let  £  £ 
JC(x).  Then  £  £  IC(x)  =  (Jn>0  /C(£n).  Hence,  there  exists  n  >  0  such  that 
£(£„). 

Assume  that  the  condition  on  the  right  hand  side  of  (a)  is  fulfilled. 
Let  (j]n)  be  an  x-path.  For  each  n  >  0  there  exists  £„  €  /C(x)  D  F  with 
%E%).  Then  a  suitable  subsequence  of  (£n)  is  an  x-path  in  F. 

(b)  Follows  by  the  duality  of  71  and  V  and  part  (a). 

□ 

Definition  3.2.  A  safety ,  guarantee,  response,  resp.  persistence  property  is 
any  property  of  the  form  A{F),  £{F),  7 1(F),  resp.  V(F),  where  F  is  a  finitary 
property.  A  subset  T  of  A  is  called  a  liveness  property  iff  for  each  £  €  K.{A)  there 
exists  x  £  T  such  that  £  €  /C(x).  An  obligation  property  is  a  property  of  the  form 

T  =  fl  (SiUGi) 

1  <i<m 

where  Si,...  ,Sm  are  safety  properties  and  Gx,...  ,Gm  are  guarantee  properties. 
A  reactivity  property  is  a  property  of  the  form 

t  =  n  (Rinpi) 

1  <i<m 

where  Ri , . . .  ,  Rm  are  response  properties  and  Pi,...  ,  Pm  are  persistence  proper¬ 
ties. 

The  hierarchy  of  safety,  guarantee,  response,  persistence,  obligation  and  reac¬ 
tivity  properties,  and  the  duality  of  A  and  £ ,  resp.  71  and  V ,  as  stated  in  [7]  carry 
over  to  our  general  framework: 

Theorem  3.3.  Persistence  properties  subsume  safety  properties,  guarantee  prop¬ 
erties  are  special  kinds  of  response  properties. 

A(F)  =  H  Afin(F)  ),  £{F)  =  7Z(  £Rn(F)  ) 

Guarantee  properties  are  complements  of  safety  properties ,  while  response  properties 
complements  of  persistence  properties . 

A\A(F)  =  £(JC(A)\F),  A\V(F)  =  7l()C(A)\F) 

Obligation  properties  are  special  kinds  of  response  and  persistence  properties . 

f|  (AiFi)  U£(F!))  =  111  f|  =  v[  f|  Hi 

1  <i<m  yl<i<m  J  yi<i<m 

where 

Hi  =  Afin(Fi)u£fin(F'). 

Reactivity  properties  subsume  response  and  persistence  properties ,  obligation  prop¬ 
erties  subsume  safety  and  guarantee  properties. 

PROOF.  The  duality  of  A  and  £  resp.  7 Z  and  V  is  an  easy  verification.  It  is 
clear  that  each  safety  or  guarantee  property  is  an  obligation  property  since: 

A(F)  =  .4(F)  U  £(0),  £(F’)  =  A(%)u£(F‘) 

and  that  each  response  or  persistence  property  is  a  reactivity  property: 

71(F)  =  71(F)  UP(0),  P(F')  =  7£(0)  U  V(Ff) 
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The  equation  £(F)  =  F(£fin(F))  follows  by  A(F)  =  V(Aa„(F))  and  the  duality 
of  A  and  £,  resp.  R  and  V. 

(1)  We  show  A(F)  =  V(Afin(F))-  If  x  6  A{F)  then  K(x)  C  F.  Hence,  for  all 
£  €  /C(x),  K(£)  C  /C(x)  C  F.  Therefore,  £  £  -4fin(F).  We  conclude  that 
k(x)  C  Afm{F),  and  hence  x  £  F(-4fin(F)). 

If  x  G  V(Af\n(F))  then  (by  Lemma  3.1(b))  there  exists  £  £  /C(x)  such 
that  whenever  £'  G  IC(x),  £  G  IC(£'),  then  £'  G  Af\n(F).  Let  77  G  IC(x). 
There  exists  £'  G  K,(x)  with  £,  77  €  /C(£').  Then  £'  G  -4fin(F)  and  therefore 
77  G  K(£')  C  F.  It  follows  that  x  G  A(F). 

(2)  Next  we  prove  that  if  F,  F'  C  K.(A)  then  A(F)u£(F')  =  11(H)  =  V(H) 
where  H  =  AfiJF)  U£fin(F'). 

If  x  £  A(F)  then  by  part  (1)  of  this  proof  x  £  V(Afin(F))  C  1Z(Ann(F)). 
Hence,  x  €  F(An(F))  C  V(H)  and  x  €  7 l(ARn(F))  C  11(H).  If 
x  £  £(F')  then  there  is  some  £  £  K.(x)  n  F' .  Let  (£n)  be  an  x-path.  Then 
£  G  K,(£ n0)  for  some  n0.  Then  £  G  IC(£n)  for  all  n  >  no-  Hence,  £„  G 
in n(F')  for  almost  all  n.  Therefore,  x  £  V(£fi n(F')).  We  conclude  x  £ 
K(£fin (F1))  C  11(H)  and  x  £  V(H). 

Let  x  £  1Z(H).  (Since  V(H)  C  1Z(H)  this  includes  the  case  x  £  V(H).) 
Then  there  is  an  x-path  (£„)  in  H. 

•  If  there  exists  n  >  0  such  that  £n  G  £a n(F')  then  K.(£n)  ft  F'  ^  0. 
Since  £(£„)  C  )C(x),  K(x)  n  F'  ^  0.  Thus  x  £  £(F'). 

•  If  £n  £fin(F')  for  all  n  then  £n  €  -4fin(F)  for  all  n.  Hence,  fC(£„)  C  F 
for  all  n.  Therefore,  K.(x)  =  (Jn>o  k(£n)  Q  F.  It  follows  that 
x  £  A(F). 

(3)  To  show  V  (fli<<<m  Fj  )  =  F(Fi)  observe  that  C  is  clear.  If 

x  £  f)  V(Fi)  then  there  exists  £i  G  f£(x)  such  that,  for  all  £  £  K,(x).  £t  £ 
IC(£)  implies  £  G  Fi.  Since  K(x)  is  directed  there  is  some  77  £  /C(x)  with 

£  K(rj).  Hence,  whenever  £  £  K(x),  77  €  K.(£)  then  £i  €  IC(£), 
and  therefore  £  G  f)  Fj.  We  conclude  x  £  V  (f)  Fj) . 

(4) nKKm(^)U^))  =  ^(nKKn.tfi)  =  F  (Dkktti  ^*)  where 

Hi  =  AUFi)U£UFl). 

By  part  (2)  of  this  proof,  A(Fi)  U  S{F[)  =  Tl(Hi)  =  P(H{).  and  part 
(3)  we  have  that 

P)  (.A(F)U£(^))  =  f]  V(Hi)  =  ”(n«) 

and 

f]  n(Hi)  =  Pi  vrn  =  f(P|  Hi)  cn(f)Hi)  c  f]  n(Hi). 

Therefore 

=  n  w)  =  n  w)  = 

□ 

It  is  an  open  question  whether  liveness  properties  are  special  kinds  of  reactivity 
properties. 

Liveness  does  not  subsume  safety  or  guarantee  properties.  This  is  because  0  is 
a  safety  and  a  guarantee  property,  but  not  a  liveness  property.  In  general,  neither 
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response  nor  persistence  properties  subsume  liveness  properties,  as  can  be  seen  from 
the  example  below. 

Example  3.4.  In  the  linear  time  model  E°°  the  set 

T\  =  {r6Sw  :  is  a  suffix  of  x  } 

is  a  liveness  property  (eventually  always  a),  but  not  a  response  property.  The  set 

F2  =  {  x  G  :  au  is  not  a  suffix  of  x  } 

is  a  liveness  property  (always  eventually  not  a),  but  not  a  persistence  property. 
(Here  a w  stands  for  the  infinite  string  aaa  . . . .) 

Proof.  It  is  clear  that  T\  and  T2  are  liveness  properties.  Suppose  T\  =  71(F) 
for  some  F  C  £*.  Then  x\  =  /3au  G  T\.  Hence,  there  exists  n\  >  1  such  that 
£1  =  (3anx  G  F.  Then  x 2  =  G  T\.  Thus,  there  exists  n 2  >  1 

with  £2  =  fiani/3an 2  G  F  Proceeding  in  this  way  we  get  a  sequence  of  natural 
numbers  n*  >  1  such  that 

£*  =  f3ani  (3an2  . . .  f3anh  G  F. 

Let  x  =  lim  £*.  (i.e.  x  is  the  unique  infinite  string  where  £*  are  prefices  of  a). 
Then  x  G  71(F)  (since  (£*)  is  an  x-path  in  F),  but  x  £  T\.  Contradiction. 

The  argument  for  T2  is  similar.  □ 

Part  (a)  of  the  following  lemma  shows  that  our  definition  of  safety  properties 
is  a  generalization  of  the  definition  of  safety  properties  in  the  sense  of  [3]. 

Lemma  3.5.  Let  T  C  A.  Then : 

(a)  T  is  safety  property  iff  for  each  x  G  A\T  there  exists  some  £  G  K(x)  such 
that  whenever  y  G  A,  £  G  K(y)  then  y  £T. 

(b)  T  is  a  guarantee  property  iff  for  each  x  G  T  there  exists  some  £  G  )C(x)  such 
that  whenever  y  G  A,  £  G  fC(y),  then  y  G  T. 

Notation  3.6.  If  £  G  K(A)  we  put  17(f)  =  {x  e  A  :  £  g  K(x)  }. 

Itjs  easy  to  see  that,  because  of  condition  (5),  whenever  £,  77  G  )C(x)  for  some 
x  G  A  then  there  exists  £  G  /C(x)  with  £,  r]  G  /C(£).  In  particular,  whenever 
x  G  [/(()(!  {/(tj)  then  x  G  f/(£)  C  U(Q  D  C/ (77)  for  some  £  G  /C(A).  Hence, 
the  sets  ?/(£),  £  G  £(A),  form  a  topological  basis.  In  what  follows  we  assume 
A  to  be  equipped  with  the  topology  induced  by  the  basis  [/(£),  £  G  K,(A ),  and 
that  A  is  endowed  with  the  subspace  topology.  In  part  (b)  of  Lemma  3.7  we  show 
that  in  order-enriched  linear  time  models  the  topology  induced  by  the  basis  £/(£), 
£  G  £(A),  is  the  Scott-topology  on  A  considered  as  an  algebraic  dcpo.  In  general, 
the  topology  on  A  is  not  T2.  This  is  because  whenever  /C(x)  C  K(y)  then  each 
neighbourhood  of  x  contains  y.  In  particular,  a  converging  sequence  might  have 
more  than  one  limit.  We  write  x  =  limxn  to  denote  that  x  is  one  of  the  limits  of 
the  sequence  (xn).  Since  the  topology  on  A  is  not  T2,  we  cannot  expect  that  in 
the_case  where  a  linear  time  model  A  is  equipped  with  a  length  function  the  metric 
on  A  induces  the  topology  on  A.  In  part  (c)  of  Lemma  3.7  we  show  that  if  A  is 
metric-enriched  the  metric  on  A  induces  the  (subspace-)topology  on  A.  Part  (c) 
of  Lemma  3.7  can  be  applied  to  the  metric-enriched  linear  time  model  E°°  or  the 
metric-enriched  linear  time  model  of  pomsets  x  G  Pom°°  where  x[n]  is  finite  for  all 
n. 
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Lemma  3.7.  Let  A  be  a  linear  time  model 

(a)  Whenever  (xn)„>o  is  a  sequence  in  A  such  that  there  exists  an  x-path  (fri)n>o 
with  £n  E  /C(xn)  for  all  n  >  0  then  x  =  lim  xn.  In  particular ,  each  x-path 
converges  to  x. 

(b)  If  A  is  order- enriched  then  the  topology  on  A  agrees  with  the  Scott  topology 
on  A  as  an  algebraic  dcpo. 

(c)  If  A  is  metric- enriched  in  the  sense  of  Definition  2.13  then  the  metric  on  A 
induces  the  topology  on  A. 

PROOF,  (b)  is  an  easy  verification  using  the  fact  that  f/(£)  =  f  f- 

(a)  Let  (x„)  be  a  sequence  in  A  and  (£n)  an  x-path  with  E  /C(xn).  Let  U  be 
an  open  neighbourhood  of  x.  Then  there  exists  771, . . .  ,r)n  E  IC(A)  such  that 

x  6  [J  U(Vj)  C  U. 

Then  r)j  €  IC(x)  —  (J  /C(&).  Since  /C(&)  C  /C(£i+i)  there  exists  k  >  0 
such  that  7 ]j  €  £(£*),  j  =  1, . . .  ,  n.  Then  for  all  i  >  k  and  j  =  1, . . .  ,  n: 
7 y  E  /C(f*)  C  /C(&)  ^  K,(xi).  Hence,  for  all  i  >  k: 

Xi  e  (J  U(vj)  C  U. 

Thus,  we  conclude  that  x  =  limx*-. 

(c)  We  first  show  that  if  £  E  IC(A),  |£|  =  n,  then  {/(£)  =  B(^,l/2n~1).  Let 
x  E  t/(0-  Then  f  E  /C(x)  and,  by  Theorem  2.12(a)  and  (c),  £[n]  —  ^  —  x[n] 
and  hence  d(x,£)  <  l/2n.  Therefore:  x  E  £(£,  l/2n)  =  1/2"-1). 

If  x  E  then  d(x,f)  <  l/2n.  Hence,  f  €  £(£)  =  /Cn(f)  = 

/Cn(x)  C  /C(x).  and  1  E  (7(0  follows  as  required. 

Next  we  show  that  if  x  £  A  and  r  >  0  then  B(x,r)  =  U{x[n\)  where 
n  is  the  natural  number  with  n  =  0  if  r  >  1  and  l/2n  <  r  <  l/2n~l 
otherwise.  If  y  E  H(x,r)  then  d(x,y)  <  r  <  l/2n“x.  Hence,  d{x,y)  <  l/2n. 
Then  /C„(x)  =  /Cn(7/),  and  thus  x[n]  =  y[n]  E  /C(y),  from  which  we 
immediately  obtain  y  E  {7(x[n]). 

If  y  E  f7(x[n])  then  x[n]  E  /C(y).  Since  x  E  A  we  have  |x[n]|  =  n.  Hence 
x[n]  =  y[n]  and  therefore  d(x,y)  <  <  r.  Thus,  y  E  B(x,r)  as  required. 

□ 

Corollary  3.8.  •  The  topology  on  A  is  coarser  than  the  topology  on  A 

induced  by  the  metric.  This  is  because  every  basis  open  U(£)  can  be  written 
as  B(x,  1/2””1)  where  f  =  x[n],  x  E  A  Note  that  H(x[n],  l/2n_1)  = 
B(x ,  l/2n”1)  and  that  all  elements  £  E  IC(A)  are  of  the  form  £  =  x[n]  for 
some  x  6  A  and  n  >  0. 

•  For  order-enriched  models  the  topology  on  A  is  the  relative  Scott  topology. 
A  is  the  subspace  of  maximal  (and  also  non-compact)  elements  of  A. 

The  following  theorem  generalizes  the  topological  characterizations  of  safety, 
guarantee  and  liveness  properties  as  established  in  [3,  7,  19]. 

Theorem  3.9.  Let  A  be  a  linear  time  model  and  T  C  A.  Then: 

(a)  T  is  a  safety  property  iff  T  is  closed. 

(b)  T  is  a  guarantee  property  iff  T  is  open. 


16 


CHRISTEL  BAIER  AND  MARTA  KWIATKOWSKA 


(c)  T  is  a  liveness  property  iff  T  is  dense. 

Proof.  (a)  Let  T  be  closed.  Then  we  show  T  =  A(F)  where  F  = 
U xer  £(*)•  If  x  G  T  then  IC(x)  C  F.  Hence,  x  E  .4(F).  Let  x  E  .4(F), 
then  IC(x)  C  F.  Let  (£n)  be  a  x-path.  Since  £n  E  F  and,  by  definition  of 
F,  there  exists  a  sequence  (x„)  in  T  with  fn  E  IC(xn)  we  have  by  Lemma 
3.7(a)  that  x  =  limxn.  Since  T  is  closed  and  since  xn  E  T  for  all  n  >  0  we 
conclude  x  E  T. 

Let  T  =  A(F ),  x  E  A  and  (xn)  a  sequence  in  T  such  that  x  is  a  limit 
of  (xn).  We  have  to  show  that  xEL  Let  f  E  /C(x).  We  have  to  show  that 
£  E  F.  Since  t/(£)  is  an  open  neighbourhood  of  x,  and  since  (xn)  converges 
to  x,  there  exists  m  >  0  such  that  xm  E  U(£).  Thus,  f  E  /C(xm),  and  since 
xm  E  T  =  4(F)  we  obtain  £  E  F. 

(b)  follows  by  (a)  and  the  duality  of  A  and  £ . 

(c)  Let  T  be  a  liveness  property.  We  have  to  show  that  whenever  U  is  an  open 

subset  of  A  with  U fl  A  ^  0  then  UC\T  ^  0.  It  is  sufficient  to  consider  the  case 
that  U  is  basic  open,  i.e.  U  =  f|i<i<n  ^(6)  for  some  /C(A). 

Since  {/  n  A  ^  0  there  exists  x  E  17  fl  A.  Then  there  exists  f  E  /C(x)  with 
6  €  /C(fl,  i  =  1, . . .  ,n.  Hence,  £/({)  C  C7.  Since  T  is  a  liveness  property 
there  exists  y  E  T  with  f  E  £(?/).  Then  ?/  E  C7(^),  and  thus  y  eTCiU. 

Let  T  be  dense  in  A.  If  £  E  fC{A)  then  U(£)  is  open,  and  because  of 
condition  (3)  there  exists  x  E  A  fl  {/(£)•  Hence,  A  D  U(£)  ^  0.  Since  T  is 
dense  in  A  there  is  some  y  6  TDU (f ),  from  which  it  follows  that  y  E  T  and 
f€/C(y). 

□ 

In  general,  we  do  not  obtain  the  results  of  [7,  19]  which  characterize  response 
and  persistence  properties  as  the  Gs ,  resp.  Fa- sets,  unless  the  model  satisfies 
stronger  conditions  (see  Theorem  3.10);  in  the  latter  case  the  hierarchy  as  in  [7] 
can  be  obtained.  It  is  worth  noting  that  the  additional  conditions  are  satisfied  by 
the  linear  model  of  strings,  but  not  by  traces  and  pomsets.  As  a  counter-example, 
consider  at/3  and  the  trace  x  =  [(a/?)00],  then  there  exists  an  infinite  subset  [a*]  of 
K(x)  which  does  not  contain  an  infinite  x-path.  The  case  for  pomsets  is  similar, 
except  that  a  partial  solution  can  be  obtained  by  modifying  the  definition  of  the 
map  JC(x)  to  assign  to  an  infinite  pomset  x  the  set  of  its  n-cuts  x[n],  instead  of 
assigning  all  finite  prefices  of  x.  The  results  of  [19]  are  more  problematic  as  the 
definitions  of  11(F)  and  V(F)  differ  from  ours. 

Recall  that  F^-sets  are  countable  unions  of  closed  sets,  G^-sets  countable  in¬ 
tersection  of  open  sets. 

Theorem  3.10.  Let  A  be  a  linear  time  model  such  that: 

(i)  If  x  £  A  and  X  is  an  infinite  subset  of  1C (x)  then  X  contains  an  x-path. 

(ii)  For  each  £  E  KL(A)  the  set  £(£)  is  finite. 

Then  for  each  subset  T  of  A: 

(a)  T  is  a  response  property  iffT  is  a  Gs-set. 

(b)  T  is  a  persistence  property  iffT  is  a  Fa-set. 

Proof,  (b)  follows  by  (a)  and  the  duality  of  1Z  and  V.  We  show  (a).  Let 
T  =  1Z(F).  We  define  F*  to  be  the  set  consisting  of  all  £  E  F  such  that  there  exist 


ON  TOPOLOGICAL  HIERARCHIES  OF  TEMPORAL  PROPERTIES 


17 


€  Fn/C(0  with 

/c(6)  C  /C(6)  c  ...  c  /C(6)  C  £(*). 

We  prove  that  T  =  P|  £ (F*).  Note  that  because  of  Theorem  3.9  (b)  the  sets 
£(Fk)  are  open,  hence  f)£(Ffc)  is  a  G^-set. 

•  If  x  E  T  then  there  exists  an  x-path  (£*)/fe>i  such  that  for  all  fc.  Then 

£k  €  Fk  and  therefore  x  E  £(Fk). 

•  If  x  E  H  £(Fk)  then  for  each  k  >  1  there  exists  f*  E  F^  H/C(x).  By  definition 
of  F*  the  cardinality  of  /C(&)  is  at  least  k.  Since  by  assumption  (ii)  the 
cardinality  of  £(£*)  is  finite,  the  set  {£  :  i  >  1}  is  infinite.  By  assumption 
(i)  there  exists  an  x-path  in  {&  :  i  >  1}.  Since  £*  E  F*  C  F  all  elements  of 
the  x-path  belong  to  F.  Therefore,  x  E  7£(F). 

If  T  =  f]  Gk,  where  G*  are  open  sets  in  A ,  we  may  assume  that  Gi  D  G2  2  — 
Otherwise  we  deal  with  G'k  =  Gifi. .  .flG*.  Because  of  Theorem  3.9  (b)  there  exists 
subsets  Fk  of  /C(A)  such  that  Gk  =  £{Fk ).  W.l.o.g.  Fi  D  F2  3  . . .  (otherwise  we 
deal  with  Fj.  =  |Jz>&  #)•  Let  iT*  be  the  set  consisting  of  all  f  E  Fk  such  that: 

whenever  E  /C(£),  £'  /  £,  then  £'  ^  F*. 

Let  =  UFfc  and  ^  =  HFk.  We  show  T  =  £(F)  U  11(H)  Note  that 
£(F)  =  ft(£fin(F))  and  hence  5(F)  U  ft(JT)  =  TJ(F')  where  F'  =  ffin(F)uF 

•  If  x  E  T  then  for  each  fc  >  1  there  exists  £k  €  F*.  Since  /C(f*)  is  finite  (by 
assumption  (i))  we  may  assume  that  £*  is  minimal,  i.e.  whenever  f  E  /C(£*)> 
&#f',then£'£F*. 

Gase  1:  The  set  {£*  :  A:  >  1}  is  finite. 

Then  there  exists  f  E  {£*  :  A:  >  1}  with  £  =  for  infinitely  many  A:. 
Hence,  £  E  F*  for  infinitely  many  k.  Since  F%  D  F2  3  . . .  we  get  f  E  F*  for 
all  A;,  i.e.  f  E  F  and  x  E  £(F). 

Gase  2:  The  set  {£&  :  A;  >  1}  is  infinite. 

Because  of  the  minimality  of  f*  we  have  that  £*  E  Hk  C  iF  Let  (77^) 
be  an  x-path  in  {£*  :  A;  >  1}  (which  exists  because  of  assumption  (i)).  Then 
rjk  €  H  for  all  A:,  and  thus  x  E  1Z(H). 

•  If  x  E  £(F)  then  £  E  F  for  some  £  E  /C(x).  Hence,  (Eft  for  all  A:  and 
therefore  x  E  |J  £(*Fjfc)  =  T.  If  x  E  H (H)  then  there  exists  an  x-path  (£*) 
in  H .  Then  E  for  some  m*  >  1.  Since  /C(£*)  C  /C(f*+i)  we  have: 

C*  €  /C(&+i )  and  £*  ^  £*+1 
By  definition  of  i?mfc  we  get: 

6+1  £  and  &  $ 

Since  Fi  3  F2  3  . . .  we  get:  m  1  <  m2  <  . . .  and  therefore  m*  >  A;.  Hence, 
&  E  Fmh  C  F&  for  all  k.  Therefore,  x  E  (J  £(Fk)  =  T. 

□ 


In  [19]  the  respective  definitions  of  TZ  and  V  differ  from  ours,  i.e. 
n(F)  =  {x  E  A  :  3(60  :  /C(6)  C  /C(&)  C  . . .  £(*)  and  E  F  }. 
One  can  show  that  under  the  assumptions  (ii)  and 

(i’)  Each  infinite  subset  of  K(x)  contains  an  increasing  sequence 
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the  proof  of  Theorem  3.10  carries  over  to  the  modified  definitions  of  1Z  and  V  if  we 
work  with  increasing  sequences  in  /C(x)  instead  of  x-paths.  Note  that  under  the 
above  conditions  the  domain  of  Mazurkiewicz  traces  becomes  finitely  concurrent. 

LEMMA  3.11.  LetFi,  F2  be  finitary  properties.  Then: 

(a)  A(Fi)  n  A(F2)  =  A(FX  D  F2)  and  A(FX)  U  A(F2)  =  A(Mn(Fi)  U  Atin{F2)) 

(b)  6 (Fi)  U  £{F2)  =  £(FX  U  F2)  and  £{FX)  n  £(F2)  =  £  (£*,(*1)  n  £fin(F2)) 

(c)  ^(Fx  U  F2)  =  7J(Fi  U  F2) 

(d)  F(Fi  n  f2)  =  P(Fi)  n  V{f2) 

It  is  an  open  question  whether  1Z  and  V  are  closed  under  intersection  and 
union  respectively.  However,  under  the  assumptions  (i)  and  (ii)  of  Theorem  3.10 
we  obtain  that  1Z{FX  n  F2)  =  7 Z(F),  where  F  is  the  set  of  77  G  F2  such  that  there 
exists  £  G  Fx  CiK(rj)  satisfying:  whenever  77'  G  F2nlC(r))  and  f  G  /C(?7')  then  77'  =  77. 
The  duality  of  and  V  then  yields  the  closedness  of  V  under  union. 

4.  Temporal  logic  and  linear  time  models 

In  this  section  we  show  how  linear  or  branching  time  temporal  formulas  can 
be  interpreted  over  arbitrary  linear  time  models  with  an  initial  state  _L  and  a  next 
step  relation  -4.  If  x  G  A  then  we  interpret  the  elements  of  K{x)  as  possible 
intermediate  states  which  an  execution  of  x  may  pass.  If  an  execution  of  x  reaches 
the  intermediate  state  f  then  the  possible  next  steps  are  those  which  lead  to  an 
intermediate  state  G  /C(x)  such  that  £  — >  We  associate  — y  with  a  mapping 
which  assigns  to  each  step  f  -►  £'  a  multiset  ac£(£,£')  of  all  those  actions  which  are 
executed  in  the  step  from  £  to  £'.  If  a ct(f,£')  contains  more  than  one  action  then 
the  actions  in  act(£,  £')  are  executed  in  parallel.  An  execution  (called  observation) 
of  a  (complete)  computation  is  a  sequence  (£n)n>o  which 

•  starts  in  the  initial  state  £0  =  -L 

•  successively  performs  — >-steps,  i.e.  £n  —>  £n+i 

•  approximates  x ,  i.e.  (fn)  is  an  x-path. 

Observe  that  the  next  step  relation  allows  the  simultanous  execution  of  inde¬ 
pendent  actions;  this  should  be  compared  with  maximal  progress. 

In  the  case  where  the  next  step  relation  ensures  the  existence  of  a  unique 
execution,  i.e.  where  the  next  step  of  a  computation  x  in  an  intermediate  state  £  is 
uniquely  determined,  we  consider  the  linear  time  logic  LTL  which  is  closely  related 
to  the  linear  time  logic  of  [21,  7].  When  the  next  step  relation  allows  more  than 
one  possible  next  steps,  we  use  a  partial  order  logic  ISTL*. 

In  section  4.1  we  formalize  the  conditions  which  a  suitable  next  step  relation 
on  a  linear  time  model  has  to  fulfill.  Section  4.2  introduces  our  interpretation  of 
the  linear  time  logic  LTL  over  linear  time  models  with  a  determinisitic  next  step 
relation.  We  show  that  our  interpretation  of  LTL  over  S°°  and  a  suitable  next  step 
relation  coincides  with  those  of  [21,  23].  In  section  4.3  we  extend  the  interpretation 
of  the  logic  1ST L *  [13,  27]  to  arbitrary  linear  time  models  with  a  next  step  relation. 
The  reader  is  cautioned  to  note  that  our  intepretation  of  ISTL *  is  non-standar. 

Our  approach  applied  to  the  model  [S°°]  of  traces  differs  from  that  of  [19]  as  we 
require  an  execution  of  a  computation  x  to  approximate  x.  This  imposes  fairness 
in  the  sense  of  maximality,  see  e.g.  [14,  18].  If  we  consider  the  linear  time  model 
of  partial  order  executions  we  get  the  interpretation  of  ISTL  a  la  [13]. 
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4.1.  Linear  time  models  with  anext  step  relation.  Let  E  be  a  countable 
set  of  atomic  actions.  In  what  follows  A  is  a  linear  time  model  with  an  initial  state 
1.  By  a  multiset  of  atomic  actions  we  mean  a  function  k  :  E  -»  INq.  If  /c(a)  =  n  >  1 
then  n  copies  of  a  are  contained  in  k.  If  rc(a)  =  0  then  a  does  not  occur  in  k.  We 
write  a  G  k  to  denote  that  a  appears  at  least  once  in  k,  i.e.  /t(a)  >  1.  Union  of 
multisets  is  defined  to  be  addition. 

Definition  4.1.  A  next  step  relation  on  A  is  a  pair  (->,act)  consisting  of  a 
binary  relation  — >•  on  /C(A)  and  a  mapping  act  which  assigns  to  each  pair  (£,£') 
of  finite  elements  with  £  £'  a  multiset  act(£,£')  of  atomic  actions  such  that  the 

following  conditions  (i)  -  (iv)  are  fulfilled: 

(i)  If  £  r]  then  £  □  77. 

(ii)  If  £1  -*  £2  and  £1  C  r\  C  £2  then  £1  77  and  77  £2. 

(iii)  If  £  Cl  77  then  there  exists  k  >  2  and  £1, £2, . . .  ,  £*  G  /C(A)  such  that 

£  =  £1  £2  £/t- 1  £fc  =  rj. 

(iv)  Whenever  £  =  £1  -»  £2  ->...-►£*  =  77  and  £  =  £1  -+  £2  . . .  -►  &  =  *? 

then 

(J  act(&,&+i)  =  (J  act(£j,£j+i). 

l<i<k  l<j<n 

Conditions  (i)  and  (iii)  assert  that  the  next  step  relation  is  compatible  with 
the  natural  order.  By  condition  (i),  whenever  77  is  a  possible  next  step  of  £  then 
77  respresents  a  partial  computation  of  £,  and  by  (iii),  whenever  £  is  a  partial 
computation  of  77  then  the  intermediate  state  77  can  be  reached  from  £  by  performing 
finitely  many  steps.  Condition  (ii)  states  that  whenever  £2  can  be  reached  from  £1 
in  one  step  then  each  partial  computation  77  which  lies  between  £1  and  £2  can  be 
reached  from  £1  in  one  step,  and  there  is  a  step  leading  from  77  to  £2.  Condition  (ii) 
(together  with  (iv))  reflects  the  assumption  that,  whenever  the  parallel  execution 
of  a  multiset  k  of  actions  leads  from  a  state  £1  to  £2  and  77  is  a  state  between  £x  and 
£2,  then  k  can  be  divided  into  multisets  kx  and  k2  such  that  first  performing  the 
actions  in  Ki  in  parallel,  and  then  the  actions  in  k2  leads  from  £x  to  £2  via  77.  Note 
that  it  might  be  the  case  that  £1  -*>  £2  is  a  step  such  that  act(£i,£2)  consists  of  more 
than  one  action,  and  that  £1  — ►  £2  cannot  be  broken  down  into  a  sequence  of  steps 
where  in  each  step  only  a  single  action  is  performed.  This  is  due  to  the  fact  that  a 
step  might  stand  for  the  synchronized  execution  of  atomic  steps  which  we  represent 
by  the  multiset  of  all  actions  which  participate  in  the  synchronization.  Condition 
(iv)  asserts  that  each  state  77  is  associated  with  a  unique  multiset  of  actions  which 
lead  from  a  previous  state  £  to  77.  In  other  words,  we  suppose  each  state  to  be 
associated  with  its  ‘history’:  the  multiset  of  actions  (more  precisely,  the  partially 
ordered  set  of  events)  which  must  be  performed  to  reach  77  from  the  initial  state  _L. 

Definition  4.2.  If  (-»,a ct)  is  a  next  step  relation  on  A  we  say  (A,  ->,acfc)  is 
a  linear  time  model  with  next  step  relation .  We  say  (A, ->,act)  is  an  interleaving 
model  iff  for  each  x  6  A  there  exists  an  enumeration  £o,£i,£25  • . .  of  the  elements 
of  K,(x)  such  that 

£0  =  -L  £1  -»•  £2  -►  •  • . 

Otherwise  we  say  (A,  — ►,  act)  is  a  true  concurrency  model 

In  interleaving  models  the  sets  JC(x)  are  totally  ordered  w.r.t.  the  natural  order 
on  A  and  the  x-paths  axe  exactly  the  subsequences  of  the  unique  sequence  (£n)  in 
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/C(x)  with  £o  =  -L  and  £n  — >  fn+i  for  all  n  >  0.  We  say  (£n)  is  the  full  x-path. 
We  refer  to  the  n-th  element  £n  of  the  (unique)  full  x-path  as  the  n-cut  of  x  and 
denote  it  by  x[n].  In  interleaving  models,  the  next  step  of  a  computation  x  is 
uniquely  determined.  Because  of  this,  for  the  case  of  interleaving  models  we  choose 
a  linear  time  logic.  In  contrast,  in  true  concurrency  models,  where  the  partial 
computations  does  not  specify  the  order  in  which  concurrent  events  are  executed, 
there  might  exist  several  predecessors  for  a  given  intermediate  state  £.  For  this 
reason,  for  the  true  concurrency  approach  we  use  a  branching  time  logic,  where 
the  predecessors  of  an  intermediate  state  arise  from  parallelism,  and  not  from  an 
explicit  non-deterministic  choice  operator. 

Each  metric-enriched  linear  time  model  A ,  together  with  a  next  step  relation 
of  the  form  (— ►,  act)  where 


£  r]  <=>  3x  £  A  3n  £  N0  (  £  =  x[n]  A  77  =  x[n  +  1]  ) 


is  an  interleaving  model.  Vice  versa,  if  there  is  a  next  step  relation  ->>  on  A  then 
a  length  function  on  A  can  be  defined  which  turns  A  into  a  metric-enriched  linear 
time  model. 


4.2.  Linear  time  logic  and  interleaving  models.  We  consider  a  linear 
time  logic  LTL  which  is  essentially  that  of  [23,  7],  The  syntax  of  LTL  is  given  by: 

0  tt  |  o  |  A  <t>2  |  -»0  |  Xa  <j>  |  Ya  <f>  |  0i  U  02  |  <t>\  S  02 


where  a  £  AP  ( AP  denotes  a  set  of  atomic  propositions)  and  a  €  E. 
We  interpret  LTL  over  arbitrary  interleaving  models  A  as  follows. 


Definition  4.3.  A  LTL  structure  is  a  4-tuple  (A,  ->,act,  L)  consisting  of  an 
interleaving  model  (A,  act)  and  an  interpretation  L  of  the  atomic  propositions, 
i.e.  L  assigns  to  each  atomic  proposition  a  subset  L(a)  of  /C(A). 


Let  (A,  act,  L)  be  a  LTL-structure.  The  elements  of  L(a)  fulfill  the  condition 
represented  by  the  atomic  proposition  a.  We  identify  each  computation  x  £  A 
with  the  execution  which  successively  enters  the  states  x[0],x[l],x[2] ....  In  the 
n-th  state  x[n],  the  unique  step  leading  to  x[n  +  1]  is  performed.  A  formula  <f>  is 
interpreted  over  the  states  of  computations  which  are  represented  by  pairs  (x,  n) 
where  x  E  A  is  a  computation  and  n  a  natural  number,  (x,  n)  |=  </>  means  that 
in  the  n-th  step  of  the  computation  x  the  condition  specified  by  <j>  is  fulfilled.  An 
element  x  £  A  satisfies  a  formula  <j>  (denoted  by  x  |=  0)  iff  0  is  fulfilled  in  the  initial 
state,  i.e.  (x,  0)  0.  The  relation  (x,  n)  (=  <f>  is  defined  by  structural  induction. 
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(x,  Tl)  (=  tt 
(x,n)  1=  a 
(x,n)  f=  0i  A  02 
(x,n)  1=  -i 0 
(x,n)  |=  Xa  <t> 
(x,  Tl)  (=  Ya  0 
(x,n)  |=  <(>i  U  (f>2 

(x,  Tl)  |=  <pi  S  02 


x[n]  G  L(a) 

(x,  n)  (=  fa ,  2  =  1,2 
(x,n)  ^  0 

(x,  n  4- 1)  (=  0  and  a  G  act(x[n],  x[n  +  1]) 

n  >  1,  (x,n  —  1)  |=  0,  a  G  act(x[n  —  l],x[n]) 

there  exists  fc  >  n  s.t.  (x,  A;)  (=  02  and 
(®ii)  N  0i,  j=n,n  +  l,...  ,*-1 

there  exists  A:  <  n  s.t.  (x,  A:)  (=  02  and 
(s,  j)  1=  0i,  J  =  *  +  !,...  ,n-l,n 


Sat(0)  denotes  the  elements  x  G  A  which  satisfy  0.  ATa  and  U  are  called  future 
operators,  Ya  and  S  past  operators.  A  past  formula  is  any  formula  which  does  not 
contain  any  occurrence  of  a  future  operator.  A  future  formula  is  any  formula  which 
does  not  contain  any  occurrence  of  a  past  operator.  For  $  to  be  a  past  formula  and 
£  G  /C(A),  there  exists  x  G  A  and  n  >  0  with  x[n ]  =  £  and  (x,  n)  ^  $  if  and  only  if 
(x,  n)  |=  $  for  all  x  G  A  and  n  >  0  with  x[n]  =  £.  We  put: 

F<j>  =  {  x[n]  :  x  G  A,  n  >  0,  (x,n)  [=  $  } 

We  use  the  following  abbreviations.  We  put: 

ff  =  ->tt7  01  V  02  —  1  (  *01  A  *02 ) ,  01  — ^  02  =  '01  V  02 


and 


X4>  = 

VaeE 

Y<t>  = 

o<t>  = 

tt  U  <j>, 

U<j>  - 

-lO-i  0 

As  in  [7],  we  define  safety,  guarantee,  response  and  persistence  formulas  to  be 
formulas  of  the  form  □$,  0$,  □<>$  and  <>□$  respectively,  where  $  is  a  past 
formula.  A  liveness  formula  is  an  LTL  formula  of  the  form 

O  (  V  (  *<  A  OAi  ) 

\  1=1 

where  are  past  formulas  and  A*  are  future  formulas  such  that: 

•  D  (  V?=i  )  is  valid. 

•  The  formulas  A *  are  everywhere  eventually  satisfiable,  i.e.  for  all  1  <  i  <  n, 
y  G  A  and  N  >  0  there  exists  x  G  A  and  k  >  N  such  that  x[N]  =  y[N]  and 
(x,  A:)  |=  Aj. 

Instead  of  the  second  condition  [7]  require  that  the  future  formulas  A*  are  satis¬ 
fiable.  In  the  case  of  the  linear  time  model  E°°  satisfiability  is  equivalent  to  our 
second  condition,  which  can  be  seen  as  follows.  Let  A  is  a  satisfiable  future  formula 
(satisfiability  w.r.t.  E°°)  and  s  G  E°°,  l  >  0  such  that  (s, /)  |=  A.  Then,  for  each 
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t  G  A°°  and  N  >  0,  let  u  be  the  string  s[N]t.  Then  u[N]  =  t[jV]  and  (u,  jfe)  |=  A 
where  k  =  i\T  +  l.  In  order  to  see  that  (u,  fc)  (==  A  it  is  essential  that  A  does  not 
contain  past  operators. 

Lemma  4.4.  Let  4>  be  a  past  formula. 

(a)  Sat(  □$  )  =  A(F$)  (a  safety  property) 

(b)  Sat(  0$  )  =  £(F<f>)  (a  guarantee  property) 

(c)  Sat(  □<>$  )  \ /C(M)  =  TZ(F^)  (a  response  property) 

(d)  Sat(  <>□$  )  \  IC(M )  =  V(F<&)  (a  persistence  property) 

(e)  If  A  25  a  liveness  formula  then  Sat(A)  is  a  liveness  property. 

Proof.  (a)  x  G  Sat{  □$  )  iff  (x,  J.)  |=  □$  iff  (x,n)  |=  $  for  all  n  >  0  iff 
x[n]  G  F<j>  for  all  n  >  0  iff  x  G  A(F$). 

(b)  x  G  Sat(  04>  )  iff  (x,  _L)  f=  0$  iff  (x,n)  f=  $  for  some  n  >  0  iff  x[n]  G  F$ 
for  some  n  >  0  iff  x  G  £ (F$). 

(c)  x  G  Sat(DO$)  iff  (x,n)  |=  $  for  infinitely  many  n  iff  x[n]  G  Fj>  for  infinitely 
many  n  iff  x  G  7£(F$). 

(d)  x  G  Sat(OD4>)  iff  (x,n)  |=  $  for  almost  all  n  iff  x[n]  G  for  almost  all  n 
iff  x  G  7£(F<j>). 

(e)  Let  £  G  /C(A).  Then  £  =  y[iV]  for  some  y  £  A  and  N  >  0.  We  have  to  show 
that  there  exists  x  G  Sat(A)  with  x[N]  =  £.  Let 

A  =  O  (  \/  (  A  OA<  ) 

\  1 

Since  D(\/  $*)  is  valid,  (y,N)  |=  for  some  i.  Because  A*  is  everywhere 
eventually  satisfiable,  there  exists  x  e  A  and  k  >  N  such  that  x[N]  =  £  and 
(x,  k)  |=  A*.  Since  is  a  past  formula  we  get  (x,  N)  (=  Since  k  >  N 
we  have  (x,  N)  |=  OA*,  and  hence 

(x,  N)  |=  A  OAj 

and  therefore  x  (=  A. 

□ 

4.3.  Partial  order  logic  and  true  concurrency  models.  In  this  section 
we  briefly  introduce  the  logic  I  STL*  [13,  27]  and  show  how  its  formulas  can  be 
interpreted  over  order-enriched  linear  time  models.  The  reader  is  cautioned  to  note 
that  our  interpretation  of  ISTL*  is  over  more  general,  non-standard  models,  but 
coincides  with  that  of  [27]  for  a  suitably  chosen  next  step  relation.  In  [13]  and 
[27]  ISTL *  formulas  are  interpreted  over  interleaving  sequences  of  partial  order 
executions  (i.e.  linearizations  of  pomsets  of  a  certain  kind),  and  Mazurkiewicz 
traces  respectively,  whereas  we  give  semantics  (for  syntactically  the  same  formulas) 
in  arbitrary  order-enriched  linear  time  models. 

A  state  formula  of  ISTL*  is  a  formula  <j>  given  by  the  grammar: 

<j>  ::=  tt  |  a  \  <f>\  A  02  |  |  A\p 

where  a  G  AP  is  an  atomic  formula  and  ^  is  a  path  formula  built  from  the  following 
production  system: 

:=  <t>  |  ipi  A  tp2  |  -*j)  |  Xa  ip  |  Ya  ip  |  [ipi  U  ip2]  |  [ip 2  5  ipi] 
where  0  is  a  state  formula  and  a  G  S. 


ON  TOPOLOGICAL  HIERARCHIES  OF  TEMPORAL  PROPERTIES 


23 


We  use  the  following  abbreviations: 


s  =  ->tt,  h  V  h 

=  A 

~1/2),  /l  /2  —  ~»/l  V  /2 

for  all 

state  or  path  formulas  /1,  /2.  If  ip'  are  path  formulas  then 

1 Exp 

= 

[tt  W  G-0  =  W  (->?/>)], 

Ptp 

=  [tt  <S  V'l, 

= 

-•[tt  5  (— 

Xxp 

—  Vper 

Yip  = 

VPer  ^pV*- 

Definition  4.5.  A  I  STL*  structure  is  a  4-tuple  (A,  -*,act,  L)  where  (A, 

,  act)  is  a  linear  time  model  with  next  step  relation  and  L  an  interpretation  of  the 
atomic  propositions,  i.e.  a  function  which  assigns  to  each  atomic  proposition  a 
subset  L(a)  of  /C(A)  consisting  of  those  states  £  which  are  supposed  to  satisfy  the 
condition  a. 

Let  (A,-)’, act,L)  be  a  I STL*  structure.  State  formulas  are  interpreted  over 
intermediate  states  of  computations  which  we  represent  by  pairs  (a,  £)  where  x  G  A 
and  £  G  /C(x).  Path  formulas  are  interpreted  over  states  of  observations. 

Definition  4.6.  Let  (A,  -4,  act)  be  a  linear  time  model  with  next  step  relation. 
An  observation  on  A  is  a  sequence  7 r  =  (£n)n>o  in  /C(A)  such  that: 

•  either  &  for  all  i  >  0,  or 

•  there  is  some  k  >  0  such  that 

£o  £l  £2  — >  ...  —>  Ck  —  Cjc+l  “  €k+ 2  = 

We  write  n(i)  to  denote  the  z-th  element  of  7r,  i.e.  if  7r  =  (£o,  fi, . . . )  then  7r(z)  = 

7r  is  called  a  x-observation  iff  in  addition  [J&  =  x.  An  initial  x-observation  is  an 
x-observation  tv  =  (£o,  fi,  •  •  • )  with  £0  =  -L. 

The  path  quantifiers  A  and  £7  of  I  STL*  range  over  x-observations.  The  set  of 
all  such  observations  is  an  ‘Abramhamson  structure’,  i.e.  suffix-closed  and  fusion- 
closed  (cf.  [1,  9,  13]).  Suffix-closedness  means  that  if  (£n)n>o  is  an  x-observation 
then  also  (f„)n>*  is  an  x-observation  for  arbitrary  A:  >  0.  Fusion-closedness  means 
that  if  (£n)n>o  and  (*7n)n> 0  are  x-observations  such  that  £n  =  77*  for  some  n  >  0 
and  k  >  0  then  the  sequence 

fo,  6,  Wk+U  Vk+2 j 

is  an  x-observation. 

A  computation  x  is  said  to  satisfy  a  state  formula  <j>  (denoted  by  x  (=</>)  iff  x 
satisfies  (p  in  its  initial  state  _L,  i.e.  iff  (x,  _L)  |=  <f>.  Here  (x,f)  f=  <j>  where  x  G  A, 
f  G  /C(x),  is  defined  by  structural  induction: 


(*>0 

|=  tt 

t=  « 

i  €  L(a) 

(*>f) 

CN 

< 

JL 

<=> 

(x, £)  |=  i  =  1, 2 

(*,£) 

t=  ~'<t> 

(*»0  ^ 

(*.0 

JL 

(7 r,z)  |=  rp  for  each  x-observation  7T  with  7r(z) 
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and  for  each  observation  n  =  (£o,  £1,  £2,  •  •  - )  and  i  >  0: 


(7T,i) 

t=  <£ 

(*,  6)  1=  <t>  where  x  =  U£n 

{n,i) 

\=  fa  A  fa 

(t r,i)  *  =  1,2 

(7T,j) 

t=  ~"P 

(7T,i)  ft 

(».*) 

IT 

(n,i  +  1)  (=  fa  a  e  a.ct(£i,£i+i) 

(n,i) 

-&■ 

JL 

i  >  1  and  (7r,  i  -  1)  ft  ip,  a  €  a ct(&. 

(n,i) 

N  [fa  u  fa] 

there  exists  fc  >  f  s.t.  (7r,  A:)  f=  V2 
and  (n,j)  ft  fa,  j  =  i,i  +  1, . . .  ,k  - 

(M) 

1=  [fa  s  fa] 

there  exists  k  <  i  with  (jt,  k)  j=  fa 
and  (ir,j)  ft  fa,  j  =  k  +  1, . . .  ,i  -  l. 

Remark  4.7.  If  I  STL*  formulas  are  interpreted  over  a  LTL  structure  (A,  -» 
,  act,  L)  then  the  quantifiers  E  and  A  have  the  same  interpretation.  This  is  because 
x[0],x[l], ...  is  the  unique  ^-observation.  In  this  case  the  logic  ISTL*  reduces  to 
the  linear  time  logic.  Let  0  be  the  LTL  formula  which  arises  from  a  state  formula 
0  by  removing  the  quantifiers  A  and  E.  Then  x  f=  ist  <t>  if  and  only  if  x  4>- 
(The  index  LT ,  resp.  IST ,  denotes  whether  (A,  — act,  L)  is  assumed  to  be  a  LTL 
structure  or  a  ISTL *  structure.) 

Let  Sat(0)  be  the  set  of  all  x  £  D  which  satisfies  0: 

Sat(0)  =  {  x  £  D  :  x  |=  0  } 

The  operators  U  and  X  are  called  future  operators,  S  and  Y  past  opertors.  A  past 
formula  is  a  formula  which  does  not  contain  any  future  operators.  A  future  formula 
is  a  formula  without  past  operators.  Let  $  be  a  past  state  formula  and  £  £  K(A). 
Then  (x,£)  |=  $  for  some  x  £  A  with  £  C  x  if  and  only  if  (x,£)  |=  $  for  all 
x  £  A  with  £Ci.  We  define: 

F&  =  {£  £  /C(A)  :  (x,£)  $  for  some  x  £  A  } 

Safety,  guarantee,  response  and  persistence  properties  are  given  by  the  forms  AG$, 
EF$,  EGF$  and  AFG$  respectively,  where  4>  is  a  past  state  formula.  A  liveness 
formula  is  a  state  formula  of  the  form 

EF  (  \/  (*4  A  FAi) 

\  i=l 

where  are  past  state  formulas  and  A*  future  state  formulas  such  that 

•  AG(V  $i)  is  valid 

•  A i  is  everywhere  eventually  satisfiable,  i.e.  for  each  £  £  /C(A)  there  exists 
x  £  A  and  77  £  K{x)  with: 

£  E  v  C  x,  (^,77)  |=  Aj 

Lemma  4.8.  Let  $  be  a  past  formula.  Then: 

(a)  Sat(  AG$  )  =  A(  F*  ) 
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(b)  Sat(  EF$  )  =  S (  F*  ) 

(c)  Sat(  EGF<&  )  \  K{D)  =  7 Z(  F*  ) 

(d)  Sat(  AFG4>  )  \  £(D)  =  7>(  F*  ) 

(e)  //  A  is  a  liveness  formula  then  Sat(A)  is  a  liveness  property. 

Proof,  (a)-(d)  The  proof  is  similar  to  Lemma  4.4. 

(e)  Let  A  =  EF(  V($i  A  FA*)  )  be  a  liveness  formula.  Let  £  6  K{A).  Since 
are  past  formulas  and  since  AGi^J  $j)  is  valid,  there  is  some  i  with 
f  €  Fj> . .  Since  A*  is  everywhere  eventually  satisfiable  there  exists  x  €  A 
and  7]  E  K{x)  such  that  £  Qr)  \Z  x  and  {x,rj)  f=  A*.  Let  n  be  an  initial 
x-observation  such  that  ir(j)  =  £  and  i v(k)  =  rj  for  some  0  <  j  <  k.  Then 
(7 r,fc)  |=  Ai  and  (n,j)  Hence,  (7r,j)  |=  <^i  A  FA*  and  therefore 

(tt,0)  AFAj)). 

Thus,  x  f=  A,  i.e.  x  E  Sat(A). 

□ 

We  have  not  been  able  to  find  syntactic  descriptions  of  obligation  and  reactivity 
properties,  and  also  progress  properties  in  the  sense  of  [7].  It  is  an  open  problem 
whether  it  can  be  shown  that  each  of  these  classes  of  formulas  is  characteristic  in 
the  sense  that  each  extensional  property  corresponds  to  a  syntactic  property. 

The  following  lemma  shows  that  our  requirement  that  an  x-observations  ap¬ 
proximates  x  ensures  that  each  action  a  which  is  enabled  in  some  state  £  during 
some  execution  of  x  is  actually  performed  in  every  linearization  of  x  at  a  state 
subsuming  (above)  £,  cf  maximality  [14].  If  a  €  S  then  we  put: 

ena  =  EXatt ,  exa  =  AFXatt 

Then  (x,  £)  (=  en(a)  iff  the  action  a  is  enabled  (i.e.  can  be  performed)  in  the  state 
f.  (x,f)  f=  exa  iff  in  each  execution  of  x  the  action  a  will  be  performed  at  some 
state  subsuming  £. 

Lemma  4.9.  The  formula  AG{  ena  ->*  exa)  holds  for  all  x  e  A. 

4.4.  Examples. 

4.4.1.  Interpreting  LTL  over  strings.  The  temporal  logic  used  in  [28,  23, 
7]  is  essentially  the  same  as  our  logic  LTL ,  the  only  difference  being  that  our 
next/previous  step  operators  Xai  Ya  are  labelled  with  actions  a.  Our  interpre¬ 
tation  of  LTL  formulas  (using  X ,  Y  instead  of  Xa,  Ya )  over  the  metric-enriched 
linear  time  model  E°°  coincides  with  that  of  [7]. 

The  language  LTL  also  includes  Lamport’s  linear  time  logic  (called  TL)  [21, 
26].  TL  formulas  are  built  from  the  atomic  propositions  using  the  ordinary  logical 
operators  V,  A  and  and  the  temporal  operators  □  and  O.  The  interpretation 
of  [21]  of  TL-formulas  over  sequences  of  system  states  corresponds  to  our  inter¬ 
pretation  of  TL  for  the  case  of  the  interleaving  model  ©°°  =  0*  U  0".  Here 
0  denotes  a  set  of  (possible)  system  states,  typically  mappings  from  program  and 
control  variables  to  values.  0*  denotes  the  set  of  finite  sequences  over  0  and  0W 
the  set  of  infinite  sequences.  Terminating  computations  are  represented  by  infinite 
strings  where  the  final  state  is  repeated  infinitely  often. 

[26]  defines  safety  properties  as  those  which  are  induced  by  formulas  of  the 
form  a  Ob  where  a  and  b  are  atomic  propositions.  Liveness  formulas  in  the  sense 
of  [26]  have  the  form  0(a  -¥  Ob). 
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4.4.2.  Interpreting  I  STL  over  traces.  The  logic  I  STL*  of  [27]  is  interpreted 
over  Mazurkiewicz  traces.  We  now  consider  its  relationship  with  our  linear  model 
framework. 

In  [27],  the  starting  point  is  a  program  described  by  a  tuple  (E,  i,  Q,y)  where 
(£,t)  is  a  concurrent  alphabet,  0  a  satisfiable  predicate  (the  initial  condition)  and 
y  a  finite  sequence  of  program  variables.  An  assignment  for  y  is  a  function  J 
which  assigns  to  each  program  variable  y  a  value  J(y)  of  the  domain  of  y.  The 
assignments  can  be  viewed  as  states  of  the  program.  Each  a  6  E  is  associated  with 
a  pair  <  ena,  fa  >  where  ena  is  an  enabling  condition  and  fa  a  transformation  that 
describes  the  effect  of  a  applied  in  a  state  where  enQ  holds,  i.e.  fa  is  a  function 
which  assigns  to  each  assignment  J  for  y  with  J  |=  ena  an  assignment  (Here 

a  satisfaction  relation  |=  for  the  enabling  conditions  and  the  assignments  for  y  is 
supposed  such  that  J  f=  ena  iff  a  is  enabled  in  J.)  Moreover,  the  commutativity 
of  independent  actions  and  the  fact  that  independent  actions  can  neither  disable 
nor  enable  each  other  is  required.  Formally,  for  all  actions  a,  0  with  ca/3  and  all 
assignments  J  for  y: 

•  If  J  |=  ena  A  enp  then  fa(fp(J))  =  fp(fa(J))- 

•  If  J  f=  ena  then  J  |=  enp  if  and  only  if  /a(J)  (=  enp. 

For  simplicity,  we  assume  a  fixed  initial  state  (an  assignment  Jinit  for  y).  ( Jinit 
might  be  either  an  assignment  where  the  initial  condition  0  holds  or  an  ‘accessible’ 
assignment,  i.e.  an  assignment  J  which  is  reachable  from  an  assignment  where 
the  initial  condition  holds.)  We  define  Y>*init  to  be  the  set  of  finite  strings  $  ~ 
a0ai...an  over  E  such  that  J*  |=  enai,  i  =  0,1 , ,n  where  Jo  =  Jinu  and 
Jt+i  =  fai(Ji)-  The  interpretation  Jn+1  is  called  the  ‘final  interpretation’  of  s  and 
is  denoted  by  fins.  The  commutativity  of  independent  actions  implies  that  if  s  =  t 
then  fzns  =  /in*.  Hence,  we  may  define  fin $  =  fins  for  each  finite  trace  £  —  [s] 
where  s  G  Let  x  be  an  infinite  trace  such  that  x  =  [ s ]  for  some  infinite 

string  $  over  E  where  all  prefices  of  s  belong  to  x  can  be  viewed  as  a  ‘run’ 

in  the  sense  of  [27]  (which  is  defined  as  a  maximal  subset  of  [E*nit]  consisting  of 
pairwise  consistent  traces  where  the  consistency  of  two  finite  traces  £i,  £2  means 
that  £i,  £2  Q  £  for  some  finite  trace  £).  An  ‘observation’  of  x  in  the  sence  of  [27] 
is  a  sequence  of  traces  £0,  £1, . . .  such  that  £0  is  the  empty  trace,  £j+i  =  £i[a*]  for 
some  a*  G  S,  and  whenever  £  □  x  then  £  □  £*  for  some  i.  Hence,  the  observations 
of  x  in  the  sense  of  [27]  are  exactly  the  x-observations  in  the  linear  time  model 
[E°°],  together  with  the  next  step  relation  defined  by: 

x  y  3 s  G  E*,  a  €  Ex  =  [s]  A  y  =  [sa] 

where  act([s],  [sa])  =  {a}  is  the  multiset  containing  a. 

We  assume  that  there  is  a  satisfaction  relation  (=  for  the  atomic  propositions 
and  the  interpretations  J  for  the  program  variables  y  such  that  J  ^  a  iff  a  is  true 
in  the  state  J.  This  yields  an  interpretation  L  for  the  atomic  propositions  which 
assigns  to  each  atomic  proposition  a  a  set  L(a )  of  finite  traces  £  G  [E*m*J: 

£  G  L{a)  iff  fin^  (=  a. 

[27]  associates  each  run  x  with  an  I  STL*- structure  and  obtains  a  satisfaction 
relation  |=x  for  each  run  x.  This  satisfaction  relation  agrees  with  ours  (in  the  sense 
that  ±  t=x  <p  iff  x  <p)  when  we  deal  with  the  linear  time  model  of  traces,  the  next 
step  relation  — y  and  the  interpretation  L  as  above.  Here  we  replace  the  next  step 
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operator  X  in  [27]  by  the  labelled  next  step  operators  XQ,  and  similarly  their  first 
order  (state)  formulas  are  substituted  by  atomic  propositions. 

Instead  of  x-observations,  which  are  maximal  in  the  order-theoretic  sense,  [19] 
use  arbitrary  observations  (£n)  in  /C(x)  as  executions  of  x;  for  example,  the  latter 
admits  non-maximal  Mazurkiewicz  traces.  In  [19]  a  computation  x  in  a  state  £ 
satisfies  a  formula  of  the  form  E<j>  iff  there  exists  an  observation  7 r  in  /C(x)  starting 
in  £  with  (7r,0)  f=  <f>.  Notice  that  it  is  not  required  that  7T  approximates  x,  i.e.  the 
case  [J  7r(z)  c  x  is  allowed.  For  instance,  the  formula 

$  =  EGXatt 

is  satisfied  in  the  approach  of  [19]  by  the  trace  [s],  s  =  (3aaa  . . . ,  where  a  t  (3,  but 
not  in  our  framework.  This  is  because 

[a]  — >  [aa]  — >  [aaa]  -4  ... 

is  considered  an  execution  of  [s]  in  [19],  but  not  in  this  paper. 

Another  useful  next  step  relation  on  [S°°]  is  given  by: 

x  =>  y 

iff  there  exists  pairwise  independent  actions  ot\ , . . .  ,  an  €  S  such  that  x[aq  . . .  an]  = 
y.  The  associated  multiset  of  actions  is 

act(  x,  x[aq , . . .  ,  a„]  )  =  multiset  consisting  of  aq , . . .  ,  an. 

This  next  step  relation  allows  the  parallel  execution  of  pairwise  independent  actions 
in  one  step.  The  interpretation  of  I STL*  formulas  over  the  I  STL*  structure 

([E°°],=>,a  ct,L) 

differs  from  the  interpretation  over  ([E°°],  -4,  act,  L)  in  the  next  (resp.  previous) 
step  operators  Xa  (resp.  Ya). 

Lemma  4.10.  If  (f>  is  a  formula  which  does  not  contain  the  operators  Xa  and 
Ya  then  an  infinite  trace  x  satisfies  <j>  w.r.t.  the  next  step  relation  -4  if  and  only  if 
(p  is  satisfied  by  x  using  the  interpretation  based  on  the  next  step  relation 

If  I  STL*  is  used  to  formulate  real-time  constraints  such  as  ‘a  process  responds 
to  a  request  within  3  time  units’,  and  if  we  suppose  that  each  atomic  action  can  be 
executed  in  a  single  time  unit,  the  next  step  relation  -4  is  not  helpful  since  it  ignores 
the  fact  that  the  parallel  execution  of  pairwise  independent  actions  c*i, . . .  ,  an  can 
be  performed  within  a  single  time  unit.  Consider  the  formula 

(j)  =  EGfYptt  -4  XXatt) 

where  (3  stands  for  an  (input-)  action  which  is  performed  by  a  handshake  mechanism 
and  where  a  is  an  (output-) action  representing  the  acknowledge  for  the  receipt  of 
the  message  transmitted  by  /?.  Then  <f>  ensures  the  existence  of  an  execution  which 
satisfies  the  following:  whenever  the  system  receives  a  message  it  acknowledges 
the  receipt  after  two  time  units.  Let  s  =  at  where  (3  i  7,  -i(  a  t  (3  )  and 

-i(  a  1  7  )  and  where  t  =  vVV -  One  might  think  of  7  as  an  input-action 

where  the  message  is  transmitted  on  a  channel  different  from  that  which  is  used 
for  (3  (hence  j3  and  7  can  be  performed  in  parallel)  and  the  acknowledge  sent  by  a 
consists  of  a  message  that  uses  an  information  which  is  given  by  7  (hence  a  and  7 
are  dependent).  Using  the  next  step  relation  ^  we  get  that  the  trace  [s]  satisfies 
<j>.  By  means  of  -4  the  trace  [s]  does  not  satisfy  <j>. 
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4.4.3.  Interpreting  I  STL  over  pomsets.  When  considering  the  order-enriched 
linear  time  model  Pom°°  there  are  two  natural  ways  to  define  the  next  step  relation. 

The  first  possibility  is  to  define  the  step  relation  x  -4  y  iff  x  C  y  and  whenever 
x  C  2  £  V  then  either  x  =  z  or  z  ~  y.  Then  x  y  iff  x  =  y\S  where  5  arises 
from  the  event  set  of  y  by  removing  a  single  event  e  of  maximal  depth.  If  a  is  the 
label  of  this  event  e  in  y  then  we  put  a ct(x,y)  =  {a}. 

[13]  proposes  an  interpretation  of  I  STL*  over  pomsets  of  a  certain  kind,  called 
‘partial  order  executions'.  In  the  approach  of  [13]  the  actions  a  are  associated  with 
an  operation  which  explains  how  the  variables  of  a  system  are  modified  when  a 
is  executed.  A  partial  order  execution  is  then  a  pomset  together  with  an  initial 
‘snapshot'  (i.e.  a  partial  function  from  variables  to  values)  such  that  each  pair 
of  events  e,  e'  which  affect  the  same  variables  are  ordered,  i.e.  either  e  <  e'  or 
e'  <  e.  In  the  approach  of  [13]  intermediate  states  of  a  computation  represented  by 
a  partial  order  execution  x  are  ‘slices’,  i.e.  a  left-closed  finite  set  S'  of  the  event  set 
of  x.  Hence,  a  slice  of  a  pomset  x  can  be  identified  with  a  finite  pomset  £  £  IC(x) 
which  is  an  intermediate  state  in  our  approach.  [13]  interpret  path  formulas  over 
‘acceptable  paths’:  if  x  is  a  partial  order  execution  then  an  acceptable  path  of  x 
is  a  sequence  ( Sn )  of  x-slices  such  that  Sn  —  Sn+ 1  \  {e}  for  some  maximal  event 
e  in  Sn+i  and  such  that  each  event  e  of  x  is  contained  in  some  slice  Sn.  Hence, 
an  acceptable  path  is  an  x-observation  w.r.t.  the  next  step  relation  Identifying 
partial  order  executions  and  pomsets  we  obtain  that  the  interpretation  of  I  STL 
in  the  sense  of  [13]  agrees  with  our  interpretation  using  the  linear  time  model  of 
pomsets  and  the  next  step  relation  — k 

Secondly,  we  consider  the  next  step  relation  =>  defined  as  follows.  Let  y  =  (5,  < 

,  l)  and  x  =  y[S'  where  S'  C  S  is  left-closed.  Then  x  =>  y  iff,  for  all  e,  ef  €  5  €  S', 
either  e  —  e'  or  -i(e  <  e')  A  (e'  <  e).  I.e.  x  ^  y  iff  the  events  in  S\  S'  are  pairwise 
independent.  In  this  case  the  step  from  x  to  y  stands  for  the  parallel  execution  of 
the  events  5  \  S'.  We  define  a ct(x,y)  to  be  multiset  of  all  actions  /(e),  e  £  5  \  S'. 

5.  Conclusion  and  Further  Work 

We  have  formulated  an  abstract,  axiomatically  given  notion  of  a  linear  time 
model,  and  considered  classes  of  behavioural  properties  in  such  models.  Our  frame¬ 
work  admits  the  interleaving  models,  as  well  as  some  ‘true  concurrency’  models  such 
as  Mazurkiewicz  traces  and  pomsets  as  special  cases,  but  it  does  not  handle  full 
non-determinism.  In  this  general  framework  we  have  been  able  to  obtain  exten- 
sional,  topological  and  temporal  characterizations  of  classes  of  properties  including 
safety  and  liveness,  generalising  many  of  the  results  of  [3,  7,  19].  As  yet,  we  do  not 
know  how  to  admit  the  automata-theoretic  characterization  of  [7]  into  our  frame- 
work,  and  how  to  syntactically  characterize  properties  such  as  reactivity.  This  is 
the  subject  of  future  study. 
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Abstract 

Temporal  logics  are  a  well-established  tool  for  specifying  and  reasoning 
about  the  computations  performed  by  distributed  systems.  Although  tem¬ 
poral  logics  are  interpreted  over  sequences,  it  is  often  the  case  that  such 
sequences  can  be  gathered  together  into  equivalence  classes  where  all  mem¬ 
bers  of  an  equivalence  class  represent  the  same  partially  ordered  stretch  of 
behaviour  of  the  system.  This  appears  to  have  important  implications  for 
improving  the  practical  efficiency  of  automated  verification  methods  based 
on  temporal  logics.  With  this  as  motivation,  we  study  logics  that  are  directly 
interpreted  over  partial  orders.  We  survey  a  number  of  linear  time  temporal 
logics  whose  underlying  frames  are  Mazurkiewicz  traces.  We  describe  au¬ 
tomata  theoretic  methods  for  solving  the  satisfiability  and  model  checking 
problems  for  these  logics.  It  turns  out  that  we  still  do  not  know  what  the 
“canonical”  linear  time  temporal  logic  over  Mazurkiewicz  traces  looks  like. 
We  identify  here  the  criteria  that  should  be  met  by  this  elusive  logic. 


Introduction 

Propositional  Linear  time  Temporal  Logic  (LTL)  proposed  by  Pnueli  [Pnu]  has  be¬ 
come  a  well  established  tool  for  specifying  and  reasoning  about  complex  distributed 
behaviours  [MP].  A  central  feature  of  LTL  is  that  its  formulas  are  interpreted  over 
infinite  sequences.  In  applications  of  LTL,  the  infinite  sequences  consist  of  the  runs 
of  a  distributed  system  with  each  run  being  an  infinite  sequence  of  states  assumed 
by  the  system  or  an  infinite  sequence  of  actions  executed  by  the  system  during 
the  course  of  a  computation.  Interesting  distributed  systems  consist  of  a  number 
of  autonomous  sequential  agents  that  coordinate  their  behaviour  with  the  help  of 
some  communication  mechanism.  In  such  systems,  substantial  portions  of  a  com¬ 
putation  will  consist  of  causally  independent  tasks  performed  by  different  agents  at 
separate  locations.  Consequently  a  single  partially  ordered  stretch  of  behaviour  of 
the  system  will  be  modelled  by  many  different  runs  that  differ  from  each  other  only 

*This  paper  originally  appeared  in  W.  Penczek  (Ed.),  Mathematical  Foundations  of  Computer 
Science  (MFCS)  1996,  Proceedings ,  Lecture  Notes  in  Computer  Science,  Vol  1113,  Springer- Verlag 
(1996)  62-92. 


in  the  order  in  which  they  record  causally  independent  occurrences  of  actions.  This 
kind  of  run-based  view  is  often  referred  to  as  an  interleaved  semantics  of  distributed 
systems. 

The  interleaved  view  of  the  behaviour  of  distributed  systems  has  proved  to  be 
very  successful  and  popular.  However  it  has  been  known  for  some  time  that  the 
practical  effectiveness  of  LTL  and  related  formalisms  can  be  often  enhanced  by 
modelling  and  analyzing  the  concerned  behaviours  in  terms  of  partial  orders  rather 
than  sequences. 

In  typical  applications,  an  LTL  formula  constitutes  the  specification  of  the  sys¬ 
tem  behaviour  and  the  verification  problem  consists  of  checking  whether  every  run 
of  the  system  is  a  model  of  the  formula  and  therefore  whether  the  system  meets  the 
specification.  The  property  expressed  by  the  specification  is  very  often  of  the  kind 
where  either  all  the  interleaved  runs  corresponding  to  a  single  partially  ordered 
computation  have  the  property  or  none  of  the  interleavings  have  the  property.  A 
typical  example  of  such  a  property  is  freedom  from  deadlock,  as  pointed  out  by 
Valmari  [Val].  As  a  result,  it  suffices  to  verify  the  desired  property  for  just  one 
representative  run  of  each  partially  ordered  computation.  The  resulting  saving  in 
running  time  and  memory  usage  can  be  substantial  in  practice  [GW].  This  is  the 
background  and  motivation  underlying  the  so  called  partial  order  based  verification 
methods  which  are  a  subject  of  active  research  [GW,  KP,  Val]. 

There  is  an  alternative  way  to  exploit  non-sequential  behaviours  and  the  atten¬ 
dant  partial  order  based  verification  methods.  It  consists  of  developing  temporal 
logics  and  related  techniques  that  can  be  directly  applied  to  specify  and  reason 
about  the  properties  of  partial  order  based  runs  of  a  distributed  system.  In  this 
paper  we  survey  linear  time  temporal  logics  that  have  arisen  from  this  approach. 

In  going  from  sequences  to  partial  orders  it  is  easy  to  go  overboard  because 
so  many  possibilities  are  available.  Fortunately,  in  the  context  of  distributed  be¬ 
haviours,  Mazurkiewicz  has  formulated  a  tractable  and  yet  very  fruitful  way  of 
passing  from  sequences  to  partial  orders  [Maz].  The  resulting  restricted  partial 
orders  are  known  as  Mazurkiewicz  traces,  often  called — as  we  shall  do  here — just 
traces.  The  theory  of  traces  is  well  developed  [Die,  DR]  and  is  strongly  related 
to  the  theory  of  other  well  known  formalisms  such  as  Petri  nets  and  event  struc¬ 
tures.  Further,  the  classical  theory  of  ^-regular  (word)  languages  in  terms  of  its 
logical,  algebraic  and  automata-theoretic  aspects  has  been  successfully  extended 
to  u;- regular  trace  languages  [EM,  GP].  Finally,  the  structures  that  underlie  the 
partial  order  based  verification  methods  being  developed  recently  can  be  almost 
always  be  viewed  as  traces. 

Hence  there  is  a  good  deal  of  motivation  for  formulating  linear  time  temporal 
logics  that  are  to  be  directly  interpreted  over  traces.  Many  such  logics  are  now 
available.  In  the  present  survey,  we  will  mainly  concentrate  on  the  ones  that  fulfill 
two  criteria: 

(i)  The  logic  should  be  expressible  within  the  first  order  theory  of  traces. 

(ii)  The  satisfiability  problem  for  the  logic  should  admit  a  treatment  in  terms  of 
asynchronous  Biichi  automata. 

This  seemingly  arbitrary  choice  of  criteria  can  be  justified  as  follows.  LTL  is  the 
linear  time  temporal  logic  over  sequences  in  that  it  is  equivalent  in  expressive  power 


to  the  first  order  theory  of  sequences  [Zuc].  We  consider  the  task  of  identifying  the 
counterpart  of  LTL  for  traces  to  be  an  important  one  both  from  a  theoretical  and 
practical  standpoint  (see  the  last  portion  of  Section  4).  At  present  we  do  not  know 
what  this  counterpart  of  LTL  looks  like.  However,  it  seems  a  good  starting  point  to 
concentrate  on  those  linear  time  temporal  logics  that  are  at  least  no  more  expressive 
than  the  first  order  theory  of  traces. 

As  for  the  second  criterion,  an  appealing  feature  of  LTL  is  that  its  satisfiability 
and  model  checking  problems  can  be  transparently  solved  using  Buchi  automata 
[VW] .  This  has  led  to  a  clean  separation  of  the  logical  and  combinatorial  aspects 
of  these  problems,  thus  contributing  to  the  development  of  automated  verification 
methods  and  related  optimization  techniques.  The  evidence  available  at  present 
suggests  that  asynchronous  Buchi  automata  are  an  appropriate  machine  model 
for  dealing  with  u;-regular  trace  languages.  Hence  it  seems  worthwhile  to  lift  the 
interplay  between  LTL  and  Buchi  automata  to  the  level  of  traces. 

In  the  next  section  we  review  the  basic  aspects  of  traces.  In  Section  2  we  de¬ 
scribe  asynchronous  Buchi  automata  and  present  our  version  of  these  automata 
called,  for  want  of  a  better  name,  A2-automata.  In  Section  3,  the  heart  of  the 
paper,  we  present  the  logic  TrPTL  (Trace  based  Propositional  Temporal  logic  of 
Linear  time)  and  two  of  its  sublogics  TrPTLcon  and  TrPTL®.  The  logic  TrPTL  is 
directly  interpreted  over  traces.  We  show  that  the  satisfiability  and  model  checking 
problems  for  TrPTL  can  be  solved  using  A2-automata.  We  then  show  that  the  syn¬ 
tactic  restrictions  imposed  to  obtain  TrPTLcon  and  TrPTL®  lead  to  corresponding 
simplifications  in  the  world  of  automata.  After  presenting  these  results  we  survey 
a  number  of  other  temporal  logics  that  use  traces  as  their  underlying  frames.  In 
Section  4  we  show  that  TrPTL  is  expressible  within  the  first  order  theory  of  traces. 
The  final  section  contains  concluding  remarks. 

Most  of  the  results  will  be  presented  without  proofs.  The  proofs  are  either 
available  in  the  literature  or  can  be  easily  manufactured  using  the  results  available 
in  the  literature. 


1  Traces 

The  starting  point  for  trace  theory  is  a  trace  alphabet  (E,  /),  where  E,  the  alphabet, 
is  a  finite  set  and  I  C  Ex  E  is  an  irreflexive  and  symmetric  independence  relation.  In 
most  applications,  E  consists  of  the  actions  performed  by  a  distributed  system  while 
I  captures  a  strong  static  notion  of  causal  independence  between  actions.  The  idea 
is  that  contiguous  independent  actions  occur  with  no  causal  order  between  them. 
Thus,  every  sequence  of  actions  from  E  corresponds  to  an  interleaved  observation  of 
a  partially-ordered  stretch  of  system  behaviour.  This  leads  to  a  natural  equivalence 
relation  over  execution  sequences:  two  sequences  are  equated  iff  they  correspond 
to  different  interleavings  of  the  same  partially-ordered  stretch  of  behaviour. 

To  formulate  this  equivalence  relation  precisely,  we  need  some  terminology.  For 
the  rest  of  the  section  we  fix  a  trace  alphabet  (E ,/)  and  let  a,  6  range  over  E. 
D  —  (E  x  E)  —  I  is  called  the  dependency  relation.  Note  that  D  is  reflexive  and 
symmetric.  A  set  p  C  E  is  called  a  D-clique  i p  x  p  C  D.  We  set  E°°  =  E*  U  Ew 
where  E*  is  the  set  of  finite  words  over  E  and  Ew  is  the  set  of  infinite  words  over 
E.  We  let  cr,  a'  with  or  without  subscripts  range  over  E°°  and  r,r'  with  or  without 


subscripts  range  over  £*.  The  equivalence  relation  C  £°°  x  £°°  induced  by  I  is 
given  by: 


cr  a'  iff  a  Ip  =  cr'  \p  for  every  D-clique  p. 

Here  and  elsewhere,  if  A  is  a  finite  set,  p  e  A°°  and  B  C.  A  then  p  \B  is  the 
sequence  obtained  by  erasing  from  p  all  occurrences  of  letters  in  A  —  B. 

Clearly  ~/  is  an  equivalence  relation.  Notice  that  if  cr  =  Taber  x  and  a'  =  rbaax 
with  (a,  6)  €  I  then  a  ~j  a'.  Thus  cr  and  a'  are  identified  if  they  differ  only  in 
the  order  of  appearance  of  a  pair  of  adjacent  independent  actions.  In  fact,  for 
finite  words,  an  alternative  way  to  characterize  ~j  is  to  say  that  cr  <j'  iff  a'  can 
be  obtained  from  a  by  a  finite  sequence  of  permutations  of  adjacent  independent 
actions.  Unfortunately,  the  definition  of  in  terms  of  permutations  is  too  naive 
to  be  transported  to  infinite  words,  which  is  why  we  work  with  the  less  intuitive 
definition  presented  here. 

The  equivalence  classes  generated  by  are  called  (Mazurkiewicz)  traces.  The 
theory  of  traces  is  well  developed  and  documented— see  [Die,  DR]  for  basic  material 
as  well  as  a  substantial  number  of  references  to  related  work. 

Traces  have  many  equivalent  representations.  We  shall  view  traces  as  special 
kinds  of  labelled  partial  orders.  Since  sequences  can  be  viewed  as  labelled  total 
orders,  this  representation  emphasizes  that  traces  are  an  elegant  and  non-trivial 
generalization  of  sequences. 

Recall  that  a  £-labeIled  poset  is  a  structure  F  =  (£,<,  A)  where  <  is  a  partial 
order  on  the  set  E  and  A  :  E  -*  £  is  a  labelling  function.  The  covering  relation 
<CExE\s  given  by:  e  <  e'  iff  e  <  e'  (i.e.,  e  <  e'  and  e  ^  e')  and  for  every 
e"  €  E,  e  <  e"  <  e'  implies  e  =  e"  or  e"  =  e' . 

For  X  C  E  we  define  [X  to  be  the  set  {y  \  y  <  x  for  some  x  6  X}.  If  X  is  a 
singleton  {a:},  we  write  [x  instead  of  j{x}. 

We  can  now  formulate  traces  in  terms  of  labelled  partial  orders.  A  trace  over 
(£,  a  ^-labelled  poset  F  =  (E,  <,  A)  which  satisfies  the  following  conditions. 

•  E  is  a  countable  set. 


•  For  each  e  €  E,  J.e  is  a  finite  set. 


•  For  all  e,  e'  €  E,  if  e  <  e'  then  (A(e),  A(e'))  €  D. 

•  For  all  e,  e'  €  E,  if  (A(e),  A(e'))  €  D  then  e  <  e'  or  e'  <  e. 


Let  T R(£,  I)  denote  the  set  of  £-labelled  posets  that  satisfy  the  definition  above. 
We  now  sketch  briefly  the  proof  that  £°°/~/  and  TR(£,  J)  represent  the  same 
class  of  objects.  We  construct  representation  maps  str  :  £°°  — ►  TR(£,/)  and 
trs  :  TR(T,,I)  —*  £°°/  and  state  some  results  which  show  that  these  maps  are 
“inverses”  of  each  other.  We  shall  not  prove  these  results.  The  details  can  be  easily 
obtained  using  the  constructions  developed  in  [WN]  for  relating  traces  and  event 
structures. 


Henceforth,  we  will  not  distinguish  between  isomorphic  elements  in  TR(£,  I). 
In  other  words,  whenever  we  write  F  =  F'  for  traces  F  =  (E,  <,  A)  and  F'  = 

(E\  <',  A'),  we  mean  that  there  is  a  label- preserving  isomorphism  between  F  and 
Ff . 


For  <j  €  E°°,  [cr]  stands  for  the  ~ /-equivalence  class  containing  a .  We  use  ■< 
to  describe  the  usual  prefix  ordering  over  sequences.  Let  prf(cr)  denote  the  set  of 
finite  prefixes  of  a. 

We  now  define  str  :  E°°  — ►  Ti?(E, /).  Let  a  €  E°°.  Then  str(cr)  =  (£7,  <,  A) 
where: 

•  E  =  {ra  |  ra  €  prf(a)}.  Recall  that  r  €  E*  and  a  e  E.  Thus  E  = 
prf(cr)  -  {e},  where  €  is  the  null  string. 

•  <  C  E  x  E  is  the  least  partial  order  which  satisfies: 

For  all  ra,  r'6  €  F,  if  ra  X  rlb  and  (a,  b)  e  D  then  ra  <  r'6. 

•  For  ra  6  F,  A(ra)  =  a. 

The  map  str  induces  a  natural  map  str'  from  E°°/  to  Ti?(E, /)  defined  by 
str'([a])  =  str(cr).  One  can  show  that  if  a,  <r'  €  E°°,  then  cr  a'  iff  str(cr)  =  str(cr'). 
This  observation  guarantees  that  str'  is  well  defined.  In  fact,  henceforth  we  shall 
write  str  to  denote  both  str  and  str'. 

To  go  in  the  other  direction  let  F  —  (F,  <,  A)  be  a  trace  over  (E,  J).  Then 
p  e  E°°  is  called  a  linearization  of  F  iff  every  e  €  E  appears  exactly  once  in  p  and, 
moreover,  whenever  e,  e!  e  E  and  e  <  e',  e  appears  before  e'  in  p . 

As  usual,  we  can  extend  the  labelling  function  A  :  E  — ►  E  to  words  over  E  in  a 
canonical  way.  If  p  —  eoei ...  is  a  word  in  £7°°  then  A(p)  denotes  the  corresponding 
word  A(co)A(ci) . . .  in  E°°.  We  can  now  define  the  map  trs  :  TR( E,  I)  — ►  E°°/  ~/ 
as  follows: 

trs(F)  =  {A (p)  |  p  is  a  linearization  of  F}. 


Proposition  1.1 

(i)  For  every  a  £  E°°,  trs(str (cr))  =  [cr]. 

(ii)  For  every  F  €  Ti?(E,  I ),  str(trs(F))  =  F. 

This  result  justifies  our  claim  that  E°°/  and  TR{ E,  I)  are  indeed  two  equivalent 

ways  of  talking  about  the  same  class  of  objects. 

In  the  poset  representation  of  traces,  finite  configurations  play  the  same  role 
that  finite  prefixes  do  in  sequences.  Let  F  =  (£7,  <,  A)  be  a  trace  over  (E,  /).  Then 
c  C  E  is  a  configuration  iff  c  is  finite  and  jc  —  c.  We  let  Cf  denote  the  set  of 
configurations  of  F.  Notice  that  0,  the  empty  set,  is  a  configuration.  It  is  the  least 
configuration  under  set  inclusion.  More  importantly,  [e  is  a  configuration  for  every 
event  e.  These  apointed”  configurations  associated  with  the  events  are  also  called 
prime  configurations.  They  constitute  the  building  blocks  for  the  Scott  domains 
induced  by  traces  [NPW].  We  shall  see  that  they  also  play  a  fundamental  role  in 
defining  linear  time  temporal  logics  over  traces. 

We  now  turn  our  attention  to  distributed  alphabets.  Distributed  alphabets 
can  be  viewed  as  “implementations”  of  trace  alphabets.  They  form  the  basis  for 
defining  machine  models  with  a  built-in  notion  of  independence  which  recognize 
trace  languages. 

Let  V  be  a  finite  set  of  sequential  agents  called  processes.  A  distributed  alphabet 
is  a  family  {Ep}pep  where  Ep  is  a  finite  non-empty  alphabet  for  each  p  €  V.  The 


idea  is  that  whenever  an  action  from  Ep  occurs,  the  agent  p  must  participate  in  it. 
Hence  the  agents  can  constrain  each  other’s  behaviour,  both  directly  and  indirectly. 

Trace  alphabets  and  distributed  alphabets  are  closely  related  to  each  other.  Let 
E  =  {Ylp}p€'p  be  a  distributed  alphabet.  Then  Ep,  the  global  alphabet  associated 
with  £,  is  the  collection  \jpeV  £p.  The  distribution  of  Ep  over  V  can  be  described 
using  a  location  function  locg  :  Ep  — ►  2^  defined  as  follows: 

locg(a)  =  {p  |  a  €  Ep}. 

This  in  turn  induces  the  relation  J-C  Ep  x  Ep  given  by: 

(a,  b)  e  ig  iff  locg(a)  n  locg(fc)  =  0. 

Clearly  7g  is  irreflexive  and  symmetric  and  hence  (Ep,/g)  is  a  trace  alphabet. 
Thus  every  distributed  alphabet  canonically  induces  a  trace  alphabet.  Two  actions 
are  independent  according  to  E  if  they  are  executed  by  disjoint  sets  of  processes. 
Henceforth,  we  write  loc  for  locg  whenever  E  is  clear  from  the  context. 

Going  in  the  other  direction  there  are,  in  general,  many  different  ways  to  im¬ 
plement  a  trace  alphabet  as  a  distributed  alphabet.  A  standard  approach  is  to 
create  a  separate  agent  for  each  maximal  D-clique  generated  by  (E,  I).  Recall  that 
a  D-clique  of  (E,  I)  is  a  non-empty  subset  p  C  E  such  that  p  xp  C  D.  Let  V  be 
the  set  of  maximal  D-cliques  of  (E,  I).  This  set  of  processes  induces  the  distributed 
alphabet  E  =  {Ep}p6p  where  Ep  =  p  for  every  process  p.  The  alphabet  E  imple¬ 
ments  (E,  I)  in  the  sense  that  the  canonical  trace  alphabet  induced  by  it  is  exactly 
(E,  /).  In  other  words,  Ep  =  E  and  7g  =  I. 

For  example,  consider  the  trace  alphabet  (E,  I)  where  E  =  {a,  6,  d}  and  I  — 
{(a,  6),  (6,  a)}.  The  canonical  D-clique  implementation  of  (E ,7)  yields  the  dis¬ 
tributed  alphabet  E  =  {{a,  d},  (d,  b}}. 

As  mentioned  earlier,  distributed  alphabets  play  a  crucial  role  in  the  automata- 
theoretic  aspects  of  trace  theory  The  fundamental  result  of  Zielonka  [Zie]  says 
that  every  regular  trace  language  over  (E,  I)  can  be  recognized  by  an  asynchronous 
automaton  over  a  distributed  alphabet  E  which  implements  (E,7).  This  result 
has  been  extended  to  ^-regular  trace  languages  in  terms  of  asynchronous  Biichi 
automata  by  Gastin  and  Petit  [GP]. 

Distributed  alphabets  arise  naturally  in  a  variety  of  models  of  distributed  sys¬ 
tems.  In  particular  they  are  associated  with  the  restricted  but  very  useful  model 
of  a  distributed  system  consisting  of  a  network  of  sequential  agents  that  coordinate 
their  behaviour  by  performing  common  actions  together.  The  linear  time  temporal 
logics  that  we  consider  in  this  paper  will  be  based  on  distributed  alphabets. 

We  conclude  this  section  with  a  technical  remark.  Most  of  the  theory  of  traces 
presented  in  this  paper,  including  the  automat a-theoretic  and  logical  aspects,  con¬ 
stitutes  a  natural  and  conservative  extension  of  the  existing  theory  in  the  sequen¬ 
tial  setting.  The  sequential  theory  can  almost  always  be  recovered  by  setting  7  =  0 
when  dealing  with  trace  alphabets.  Correspondingly,  when  dealing  with  distributed 
alphabets,  the  sequential  case  corresponds  to  having  just  one  agent — i.e.,  [P\  =  1. 


2  Automata  over  Infinite  Traces 


From  now  on  we  shall  focus  on  infinite  traces.  With  a  little  additional  work  most 
of  the  material  we  shall  present  on  automata  and  logics  can  be  extended  to  handle 
finite  traces  as  well.  Through  the  rest  of  this  section  we  fix  a  distributed  alphabet 
£  =  {£ V}V£V  with  the  induced  trace  alphabet  (£,/),  where  £  =  Ngp  £p  and 
/  =  {(a,  b )  |  loc(a)  D  loc(fe)  =  0}. 

The  terminology  and  notational  conventions  developed  in  the  previous  section 
are  assumed  here  as  well.  We  will  be  dealing  with  many  V- indexed  families.  For 
convenience  we  shall  often  write  {Xp}  to  denote  the  ^-indexed  family  {Xv}pep. 
A  similar  convention  will  be  followed  in  dealing  with  £-indexed  families:  {Ta}  will 
denote  the  family  {Fa}a€E- 

Asynchronous  Biichi  automata,  due  to  Gastin  and  Petit  [GP],  are  the  basic  class 
of  automata  operating  over  infinite  traces.  They  constitute  a  common  generaliza¬ 
tion  of  the  asynchronous  automata  of  Zielonka  [Zie]  operating  over  finite  traces  and 
a  mild  variant  of  the  classical  Biichi  automata  operating  over  infinite  sequences. 
We  shall  consider  here  a  number  of  variants  of  asynchronous  Biichi  automata,  each 
with  a  slightly  different  acceptance  condition. 

We  begin  with  a  brief  and  slightly  non-standard  presentation  of  Biichi  automata. 
A  word  ^-automaton  over  £  is  a  pair  5  =  (TS,  T)  where 

•  TS  =  (S,  {^a}>  Sin)  is  a  finite  state  transition  system  over  £.  In  other  words, 
S  is  a  finite  set  of  states,  — »0  C  5  x  S  is  an  a-labelled  transition  relation  for 
each  a  £  £  and  Sin  C  S  is  a  set  of  initial  states. 

•  T  is  an  acceptance  table  accompanied  by  an  acceptance  condition. 

Before  considering  a  number  of  possibilities  for  T,  let  us  define  the  notion  of  a 
run.  The  £-indexed  family  of  transition  relations  {— >a}  induces  a  global  transition 
relation  — C  S  x  £  x  S  given  by  s  -^>b  s'  iff  (5,  s')  €  — Where  B  is  clear  from 
the  context  — will  be  written  as  — 

Let  a  €  (i.e.,  a  :  w  — ►  £  where,  as  usual,  u  =  {0, 1,2, . . .}  is  the  set  of 

natural  numbers).  A  run  of  TS  over  a  is  a  map  p  :  cj  — ►  S  such  that  p( 0)  e  Sin 

and  p{i)  p(i+l)  for  every  i  >  0. 

The  set  of  states  encountered  infinitely  often  along  the  run  p  is  denoted  inf(p): 
inf(p)  =  {$  |  for  infinitely  many  i,p(i)  =  s}. 

Let  us  now  consider  just  two  of  the  various  possibilities  for  T. 

(BO)  T  —  F  C  S. 

A  run  p  over  a  is  accepting  with  respect  to  BO  iff  inf(p)  D  F  ^  0.  We  shall  say 
that  B  is  a  BO- automaton  if  it  uses  BO  as  its  acceptance  criterion.  Of  course,  we 
shall  also  refer  to  these  by  their  standard  name;  Biichi  automata. 

L(B),  the  language  accepted  (recognized)  by  B,  is  the  set  of  infinite  words  a 
such  that  there  is  an  accepting  run  of  B  on  a.  A  language  L  C  is  said  to  be  cj- 
regular  iff  there  exists  a  Biichi  automaton  B  over  £  such  that  L(B)  =  L.  As  is  well 
known,  w-regular  languages  have  equivalent  algebraic  and  logical  presentations,  as 
detailed  in  the  excellent  survey  [Tho] . 

A  second  possibility  for  T  is: 


(Bl)  T  C  2s. 

A  run  p  over  a  is  accepting  with  respect  to  Bl  iff  there  exists  F  G  T  such  that 
inf(p)  —  It  is  easy  to  show  that  L  C  YF  is  w-regular  iff  there  exists  a  Bl- 
automaton  B  (i.e.,  an  automaton  B  that  uses  Bl  as  its  acceptance  criterion)  such 
that  L  —  L{B).  Thus  at  the  level  of  sequences  there  is  no  difference  in  expressive 
power  between  Buchi  automata  and  B  1-automata.  As  we  shall  see,  at  the  level  of 
traces,  BO  is  weaker  than  Bl. 

For  defining  automata  on  infinite  traces  we  need  to  develop  some  notation.  Let 
F  —  (F,  <,  A)  E  TF(E,  I).  Then  F  is  an  infinite  trace  iff  F  is  an  infinite  set.  Let 
TF^E,  J)  denote  the  subclass  of  infinite  traces  over  (E,  J).  Often,  we  shall  write 
TR°  instead  of  77?"  (E, 1). 

Let  F  E  TRU  with  F  =  (F,  <,  A)  and  let  p  E  V .  Then  e  E  F  is  a  p-event  iff 
A(e)  E  Ep.  Similarly,  e  is  an  a-event  iff  A(e)  =  a.  We  let  Ep  denote  the  set  of 
p-events  and  Ea  denote  the  set  of  a-events. 

There  are  two  natural  transition  relations  that  one  can  associate  with  F.  The 
event  based  transition  relation  =>p  CCf  x  E  x  Cp  is  defined  as  c  =^p  d  iff  e  £  c 
and  cU{e}  =  cf.  The  action- based  transition  relation  — C  Cf  xExCp  is  defined 
as  c  —+F  d  iff  there  exists  e  E  F  such  that  A(e)  =  a  and  c  =^p  d. 

To  define  automata  on  infinite  traces,  we  have  to  first  define  a  distributed  ver¬ 
sion  of  transition  systems.  The  distributed  transition  systems  we  work  with  here 
are  essentially  the  asynchronous  automata  of  Zielonka  [Zie] .  We  begin  with  some 
notation  involving  local  and  global  states. 

Let  V  be  a  set  of  processes.  We  equip  each  process  p  e  V  with  a  finite  non¬ 
empty  set  of  local  p-states,  denoted  Sp.  We  set  S  =  \Jp€V  Sp  and  call  S  the  set  of 
local  states. 

We  let  P,  Q  range  over  non-empty  subsets  of  V  and  let  p,  q  range  over  V.  A 
Q-state  is  a  map  s  :  Q  — +  S  such  that  s(q)  e  Sq  for  every  q  e  Q.  We  let  Sq  denote 
the  set  Q-states.  We  call  Sp  the  set  of  global  states. 

If  Qf  C  Q  and  s  e  Sq  then  sq*  is  s  restricted  to  Qf.  In  other  words  sq/  is  the 
Q'-state  s'  which  satisfies  s'(q')  =  s(q')  for  every  q'  in  Q' .  We  use  a  to  abbreviate 
loc(a)  when  talking  about  states  (recall  that  loc(a)  =  {p  |  a  E  Ep}).  Thus  an  a- 
state  is  just  a  loc(a)-state  and  Sa  denotes  the  set  of  all  loc(a)-states.  If  loc(a)  C  Q 
and  s  is  a  Q-state  we  shall  write  sa  to  mean  S[oc(a) . 

A  distributed  transition  system  TS  over  E  is  a  structure  ({ Sp },  {— ^a},  Sin)  where 

•  Sp  is  a  finite  non-empty  set  of  p-states  for  each  process  p. 

•  For  a  E  E,  — >a  C  Sa  x  5a  is  a  transition  relation  between  a-states. 

•  Sin  C  Sp  is  a  set  of  initial  global  states. 

The  idea  is  that  an  a- move  by  TS  involves  only  the  local  states  of  the  agents 
which  participate  in  the  execution  a.  This  is  reflected  in  the  global  transition 
relation  —>ts  C  Sp  x  E  x  Sp  which  is  defined  as: 

5  »T5  sf  iff  (sa,Sa)  £  — &nd  Sp_ioc(a)  =  4-loc(a )* 

From  the  definition  of  it  is  clear  that  actions  which  are  executed  by  disjoint 
sets  of  agents  are  processed  independently  by  TS. 
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A  trace  u>-automaton  over  E  =  {Ep}  is  a  pair  A  =  (TS,  T)  where  TS  = 
({Sp},  { — Sin)  is  a  distributed  transition  system  over  E  and  T  is  an  acceptance 
table  (which  we  will  elaborate  on  later). 

A  trace  run  of  TS  over  F  eTRF  is  a  map  p  :  Cp  — ►  Sp  such  that  p(0)  €  Sin 
and  for  every  (c,  a,  c')  €  — p(c)  p(c'). 

To  define  acceptance  we  must  now  compute  infp(p),  the  set  of  p-states  that 
are  encountered  infinitely  often  along  p.  The  obvious  definition,  namely  infp(p)  — 
{ Sp  I  p{c)(p)  =  sp  for  infinitely  many  c  e  Cp},  will  not  work.  The  complication 
arises  because  some  processes  may  make  only  finitely  many  moves,  even  though  the 
overall  trace  consists  of  an  infinite  number  of  events.^ 

For  instance,  consider  the  distributed  alphabet  Eo  =  {{a},{6}}.  In  the  cor¬ 
responding  distributed  transition  system,  there  are  two  processes  p  and  q  which 
execute  o*s  and  V s  completely  independently.  Consider  the  trace  F  =  (JS,  <,A) 
where  \EP\  =  1  and  Eq  is  infinite — i.e.,  all  the  infinite  words  in  trs(F)  contain  one  a 
and  infinitely  many  Fs.  Let  sp  be  the  state  of  p  after  executing  a.  Then,  there  will 
be  infinitely  many  configurations  whose  p-state  is  sp,  even  though  p  only  moves  a 
finite  number  of  times. 

Continuing  with  the  same  example,  consider  another  infinite  trace  Ff  = 
(E\  <',  A')  over  the  same  alphabet  where  both  Ep  and  Eq  are  infinite.  Once  again, 
let  sp  be  the  local  state  of  p  after  reading  one  a.  Further,  let  us  suppose  that  after 
reading  the  second  a,  p  never  returns  to  the  state  sp.  It  will  still  be  the  case  that 
there  are  infinitely  many  configurations  whose  p-state  is  sp :  consider  the  configu¬ 
rations  co,  ci,  C2, . . .  where  Cj  is  the  finite  configuration  after  one  a  and  j  Fs  have 
occurred. 

So,  we  have  to  define  infp(p)  carefully  in  order  to  be  able  to  distinguish  whether 
or  not  process  p  is  making  progress.  The  appropriate  formulation  is  as  follows: 

Case  1  Ep  is  finite:  infp(p)  =  {sp},  where  p{[Ev)  =  s  and  sp  —  s(p). 

Case  2  Ep  is  an  infinite  set: 

infp(p)  =  {sp  |  for  infinitely  many  e  e  Epi  se(p)  —  sp,  where  p(|e)  =  se}. 

We  can  now  begin  to  consider  various  acceptance  tables. 

(AO)  T  =  {Fp}  with  Fp  C  Sp  for  each  p. 

A  run  p  over  F  is  accepting  with  respect  to  AO  iff  infp(p)  n  Fp  ^  0  for  every  p. 
The  trace  language  accepted  by  the  AO-automaton  A  (i.e.,  where  T  is  of  the  form 
AO)  is  the  set  Lrr{A)  =  {F  |  3  an  accepting  run  of  TS  over  F}.  AO-automata  are 
the  obvious  common  generalization  of  asynchronous  automata  and  Btichi  automata. 
It  turns  out  that  AO-automata  are  not  expressive  enough:  the  acceptance  criterion 
cannot  distinguish  whether  or  not  an  agent  executes  infinitely  many  actions. 

To  bring  this  out  and  to  motivate  the  acceptance  condition  we  are  after,  we  will 
put  down  a  crude  definition^of  u;-regular  trace  languages. 

A  trace  language  over  E  is  just  a  subset  of  TRF .  To  define  a;-regular  trace 
languages,  we  exploit  the  result  from  the  previous  section  linking  E°°/  ~j  and 
TR( E,  I)  which  permits  us  to  associate  a  language  of  infinite  words  with  each  trace 
language.  We  can  then  transport  the  definition  of  ^-regularity  from  subsets  of  TF 
to  infinite  traces. 


Let  LCEW.  Then  L  is  /- consistent  iff  for  every  a  E  YF,  if  cr  e  L  then  [a]  C  L. 
Thus  if  L  is  /-consistent  either  all  members  of  the  ^/-equivalence  class  [cr]  are  in 
L  or  none  of  them  are  in  L. 

Let  V  C  TR ^ .  We  say  that  V  is  an  w- regular  trace  language  iff  th^re  exists 
an  I- consistent  oj- regular  language  L  C  such  that  V  =  {str(cr)  \  a  €  L}. 
Stated  differently,  L'  C  is  a  u;-regular  trace  language  iff  L  =  (J{trs(F)  I 

F  E  V}  is  a  w-regular  subset  of  Ew.  As  in  the  word  case,  algebraic  and  logical 
presentations  of  lj- regular  trace  languages  have  been  worked  out  [EM,  GP].  These 
presentations  have  a  flavour  which  is  pleasingly  similar  to  the  classical  algebraic 
and  logical  characterisations  of  w- regular  subsets  of 

Returning  to  the  distributed  alphabet  E0  =  {{a},  {6}),  let  (E0,/o)  denote  the 
corresponding  trace  alphabet.  Consider  L  C  TRu{Y>o,L o)  consisting  of  the  single 
trace  F  —  (£?,<,  A)  such  that  Sa  and  Et>  are  both  infinite  sets.  It  is  easy  to  check 
that  L  is  a  w-regular  trace  language  but,  as  argued  in  [GP],  no  AO-automaton  over 
£  can  recognize  L. 

It  is  worth  noting  that  having  multiple  entries  in  the  acceptance  table  does  not 
help.  In  other  words,  one  might  consider  the  following  acceptance  criterion. 

(AO')  T  =  with  %  =  {F^}p6p  and  F*  C  Sp  for  each  i  E 

{1,2,  ...,n}  and  each  p  e  V.  A  run  p  of  TS  over  F  E  TRU  is  accepting  with 

respect  to  AO'  iff  there  exists  i  such  that  infp(p)  0/^0  for  each  p. 

The  reason  why  AO'  does  not  help  is  that  the  class  of  languages  accepted  by 
AO-automata  is  closed  under  union,  thanks  to  the  presence  of  multiple  global  initial 
states.  We  can  construct  an  AO-automaton  A  =  ( TS,% )  for  each  entry  %  from 
the  table  of  an  AO'-automaton  A  =  (T5,T).  If  T  =  {7o,7i, . . .  ,7^},  it  is  clear 
that  L(A)  =  Ui€{i,2,...,n}  F(Ai).  Thus,  every  AO'-automaton  can  be  simulated  by 
an  AO-automaton. 

Gastin  and  Petit  showed  that  the  following  acceptance  condition  provides  a 
suitable  generalization  of  classical  Biichi  automata  to  the  setting  of  infinite  traces. 

(Al)  T  =  {71,72, .  •  •  ,Tn}  with  %  =  {F*}peV  and  C  Sp  for  each  i  E 

{1,2,  ...,n}  and  each  p  E  V.  A  run  p  of  TS  over  F  E  TRF  is  accepting  with 

respect  to  Al  iff  there  exists  i  such  that  infp(p)  D  F p  for  each  p. 

The  condition  Al  is  an  extension  of  the  sequential  condition  B1  in  a  distributed 
setting.  Notice  that  Al  “couples”  together  final  sets  of  the  components  in  each 
entry  %  eT. 

Theorem  2*1  ([GP])  L  C  TRU  is  a  uj -regular  trace  language  iff  there  exists  an 
A  1-automaton  A  such  that  Lpr{A L)  =  L. 

Subsequently,  Niebert  has  shown  that  the  Al  condition  can  be  modified  to  avoid 
coupling  final  sets  across  processes  [Nie].  In  effect,  it  is  possible  to  have  a  local  B1 
table  for  each  process  and  define  a  run  p  to  be  accepting  if  for  each  process  p,  infp(p) 
satisfies  p\ s  B1  table.  Going  one  step  further,  we  arrive  at  the  acceptance  criterion 
A2,  which  is  the  one  we  will  use  in  connection  with  the  logics  to  be  studied  in  the 
next  section. 


(A2)  T  =  {(Fp,  Fp)}pep  with  Fg,  Fp  C  Sp  for  each  p . 

A  run  p  over  F  =  (F,  <,  A)  is  accepting  with  respect  to  A2  iff  for  each  process 
p  the  following  conditions  are  met. 

Case  1  Ep  is  finite :  Then  infp(p)  D  Fp  ^  0. 

Case  2  Ep  is  an  infinite  set  Then  infP(p)  fl  Fpw  ^  0. 

Thus,  on  an  input  F,  the  decision  as  to  whether  a  process  p  uses  Fp  or  Fp  to 
determine  acceptance  depends  on  whether  or  not  p  executes  infinitely  many  actions 
in  F. 

Theorem  2.2 

(i)  The  class  of  languages  accepted  by  A  2-automata  is  closed  under  union. 

(ii)  The  class  of  languages  accepted  by  A  1-automata  is  identical  to  the  class  of 
languages  accepted  by  A2-automata. 

Proof  Sketch. 

(i)  Suppose  Ai  and  An  are  two  A2- automata.  Then  we  construct  an  A2- automaton 
A  which  is  the  disjoint  union  of  A\  and  An-  The  global  initial  states  of  A 
will  determine  for  each  run  whether  A\  or  An  (but  not  both!)  is  going  to  be 
explored.  It  is  easy  to  check  that  L(A)  =  L(A\)  U  L(An). 

(ii)  Let  A  =  (T5, T)  be  an  Al-automaton.  From  part  (i),  it  suffices  to  consider 
the  case  where  T  has  just  one  entry.  So  assume  that  T  —  {7i}  and  T\  =  {Fp}. 
Let  TS  —  ({iSp},  { — Sin)*  Define  the  A2-automaton  A!  =  (T5',T')  as 
follows.  TS'  =  ({S'P},  {=>Q},  S'in)  where: 

•  Sp  =  Sp  x  2f”  x  {on,  off}  for  each  p. 

•  Let  s'a ,  t'a  be  a-states  in  TS'  such  that  s'a(p)  =  (sp,  Xp,up)  and  t'a(p)  = 

(i tp ,  Yp,  vp )  for  each  p  €  V.  Then  ( s'a,t'a )  e  =>a  iff  there  exists  (s0,  ta)  e  — »a 
such  that  the  following  conditions  are  satisfied  for  each  p  €  loc(a). 

(1)  up  -  on,  sp  =  sa(p)  and  tp  =  ta(p). 

(2)  If  Xp  =  0  then  Yp  =  Fp.  Otherwise,  Yp  =  Xp  -  {fp}. 

•  SL  =  W  G  S!p  |  3s  €  Sin.  Vp  e  V.  3 up  e  {on,  off}.  s'(p)  =  (s(p),0,up)} 

•  T'  =  {(Gp ,  Gp )}  where  for  each  p, 

Gp  =  Spx  {0}  x  {on} 

Gp  =  Fp  x  2f”  x  {off} 

It  is  easy  to  check  that  LpriA)  =  Ltt{>A!). 

Conversely,  let  A  =  ( TS ,  T)  be  an  A2-automaton  with  TS  —  ({Sp},  Sin) 
and  T  =  {(F^,  Fp)}.  We  say  that  A  is  in  standard  form  if  it  satisfies: 

•  F^  n  Fp  =  0  for  each  p. 

•  If  ($a,ta)  €  — *a  and  p  e  loc(a),  then  sa(p)  &  Fp. 


Thus,  if  A  is  in  standard  form,  the  p-states  in  Fp  are  “dead”  and  are  disjoint 
from  F^.  It  is  a  simple  exercise  to  verify  that  every  A2-  automaton  A  can  be 
converted  to  an  A2-automaton  A!  in  standard  form  such  that  LpAA)  —  LTr(A'). 

So,  let  A  =  ( TS,T )  be  an  A2-automaton  in  standard  form  with  TS  = 
({Sp})  {— ’■a},£'in)  and  T  =  {(Fp,Fp)}.  Let  G  be  the  set  of  functions  of  the 
form  g  :V  ->  S  such  that  g(p)  e  F“  U  Fp  for  each  p.  Define  the  Al-automaton 
A!  =  ( TS',T ')  where  TS'  =  TS  and  T'  =  {Tg}gfG,  such  that  for  each  g  €  G, 
Tg  =  {{g{p)}}PaV-  It  is  easy  to  verify  that  LTt(A)  =  LTt(A').  □ 

We  now  argue  that  the  emptiness  problem  for  A2-automata  is  decidable.  This 
will  be  required  to  settle  the  satisfiability  problem  for  the  logics  considered  in  the 
next  section.  Let  A  =  (TS,  T)  be  an  A2-automaton  with  TS  =  ({Sp},  {-►„},  Sin) 
and  T  -  {(F",  Fp)}.  Though  it  is  not  strictly  necessary,  it  will  be  illuminating  to 
first  associate  a  language  of  infinite  words  with  A. 

Let  a  €  E“\  Then  a  (word)  run  of  TS  over  (j  is  a  map  p  :  to  — »  Sp  such  that 

p(0)  £  Sin  and  p(i)  — p(i-\- 1)  for  each  i  >  0.  The  run  p  over  a  is  accepting  iff 
the  following  conditions  are  satisfied  for  each  p. 

(i)  If  i  £  w  such  that  a(j)  <£  Ep  for  every  j  >  i  then  s<(p)  €  Fp,  where  Si  =  p(i). 

(ii)  If  a(j)  e  Ep  for  infinitely  many  j  then  for  infinitely  many  i  it  is  the  case  that 
s<(p)  G  F£y  where  Si  =  p(i). 

We  define  Lseq(A),  the  language  of  infinite  words  accepted  by  A  to  be  the  set 
of  all  words  a  such  that  there  exists  an  accepting  run  of  A  over  a.  The  distributed 
nature  of  TS  together  with  the  basic  properties  of  the  maps  str  and  trs  defined 
earlier  lead  to  the  next  result. 

Theorem  2.3  For  any  A2-automaton  A ,  Lrr{A)  =  (str(cr)  |  a  £  Lseq(A)}.  Con¬ 
sequently  LTt{A)  ^  0  iffLseq{A)  ^  0. 

Similar  statements  hold,  of  course,  for  AO-automata  and  Al-automata. 

All  the  A2-automata  that  we  construct  in  the  next  section  will  be  in  standard 
form.  So  assume  that  A  =  (TS,T)  is  an  A2-automaton  in  standard  form  with 
TS  =  ({Sp},  {->ahSin)  and  T  =  {(F",  Fp)}.  Construct  the  directed  graph  G ^  = 
(Sp,  Ea)  where  Sp  is  the  set  of  global  states  of  TS  and  (s,  s')  £  EA  if  there  exists 
a  £  E  such  that  s  — >ts  s' .  We  also  label  each  edge  in  GA  with  a  set  of  processes. 
Let  7r  :  Ea  — ►  2r  be  given  by  7r((s,  s'))  =  U{loc(a)  |  s  ~^TS  s'}. 

We  call  X  C  Sp  a  good  component  iff  X  is  a  maximal  strongly  connected 
component  in  GA  which  meets  one  the  following  conditions  for  each  p. 

(i)  There  exists  s  £  X  such  that  s(p)  £  Fp.  (Because  A  is  in  standard  form  this 
implies  that  s'(p)  —  s"(p)  £  Fp  for  every  s',  s"  £  X). 

(ii)  There  exists  s  £  X  such  that  s(p)  £  Fp  and  for  some  s'  £  X ,  (s',s)  £  EA 
and  p  £  7r((s',  s)). 

Prom  Theorem  2.3  we  know  that  Ltt(A)  is  non-empty  iff  Lseq(A)  is.  It  is 
not  difficult  to  prove  that  Lseq(A)  is  non-empty  iff  GA  has  a  good  component.  It 
is  known  that  the  maximal  strongly  connected  components  of  a  digraph  can  be 


computed  in  time  which  is  linear  in  the  size  of  the  digraph  [AHU].  Clearly,  the  size 
of  <3, 4  is  bounded  by  the  number  of  global  states  of  A.  As  a  consequence  it  is  easy 
to  derive  the  next  result. 

Theorem  2.4  Let  A  be  an  A2-automaton  in  standard  form.  Then  LpriA)  7^  0  iff 
G, 4  has  a  good  component.  For  p  £  V,  let  np  =  |5p|  denote  the  number  of  p- states. 
Let  n  —  max{np}P£p  and  m  —  \V\.  Then  checking  that  G ^  has  a  good  component 
can  be  done  in  time  0(n2rn). 

We  conclude  this  section  with  a  few  remarks  on  deterministic  automata  over  in¬ 
finite  traces.  As  with  automata  on  infinite  words,  non-deterministic  A2-automata 
on  infinite  traces  are  strictly  more  expressive  than  deterministic  A2-automata.  In 
the  absence  of  deter minacy,  complementation  is  difficult.  When  applying  these 
automata  to  settle  questions  in  logic,  complementation  is  often  required  to  handle 
negation  in  formulas.  (Fortunately,  the  automata-theoretic  treatment  of  linear  time 
temporal  logic  on  traces  which  we  will  describe  here  does  not  require  complemen¬ 
tation.) 

To  obtain  determinacy  without  loss  of  expressive  power  one  must  use  a  more 
sophisticated  acceptance  criterion  corresponding  to  the  Muller,  Rabin  or  Streett 
acceptance  conditions  for  infinite  words.  Here,  we  will  look  only  at  the  Muller 
acceptance  condition. 

(M)  T  =  {Ti, . . .  ,7^}  with  %  =  {F*}  and  Fp  C  Sp  for  each  i  and  each  p.  A  run 
p  over  F  e  TRF  is  accepting  with  respect  to  M  iff  there  exists  %  e  T  such  that 
infp(p)  =  Fp  for  each  p. 

Diekert  and  Muscholl  [DM]  showed  that  deterministic  M-automata  are  as  ex¬ 
pressive  as  non-deterministic  Al-automata.  Their  proof  however  does  not  lead  to 
a  determinization  construction  for  Al-automata. 

There  are  two  independent  solutions  available  in  the  literature  for  the  difficult 
problem  of  complementing  Al-automata.  Muscholl  first  showed  how  to  directly 
construct  a  non-deterministic  Al-automaton  which  is  the  complement  of  the  given 
automaton  [Mus] — this  approach  does  not  yield  a  determinization  construction  for 
Al-automata.  In  [Mus]  the  complementation  is  carried  out  for  asynchronous  cellular 
Biichi  automata,  in  which  there  is  one  agent  for  each  letter.  To  transport  this 
complementation  result  to  Al-automata,  one  has  to  resort  to  a  simulation  which 
carries  non- trivial  overheads  in  the  size  of  the  alphabet.  The  second  solution  due  to 
Klarlund,  Mukund  and  Sohoni  [KMS]  is  a  direct  determinization  construction  for 
Al-automata  which  then  easily  leads  to  the  complementation  result.  In  both  cases, 
the  blow-up  in  the  local  state  space  of  each  process  is  exponential  in  the  global  state 
space  of  the  original  automaton,  which  is  essentially  optimal.  Surprisingly  in  both 
[Mus]  and  [KMS],  the  A1  acceptance  condition  must  be  first  transformed  into  an 
equivalent  one  which  describes  in  considerable  detail  the  communication  patterns 
established  by  the  infinite  trace  that  is  being  examined  for  acceptance. 

3  Linear  Time  Temporal  Logics  over  Traces 

A  variety  of  linear  time  temporal  logics  to  be  interpreted  over  traces  have  been 
proposed  in  the  literature.  As  mentioned  in  the  Introduction,  our  focus  here  will 


be  on  those  logics  which  meet  the  following  criteria: 

(i)  The  logic  should  be  expressible  within  the  first  order  theory  of  traces. 

(ii)  The  logic  should  admit  a  treatment  in  terms  of  asynchronous  Biichi  automata 
of  one  kind  or  the  other. 


We  begin  with  the  logic  TrPTL  (Trace  based  Propositional  Temporal  logic  of 
Linear  time).  This  is  the  earliest  and— to  date-the  most  expressive  linear  time 
logic  of  the  chosen  kind.  For  a  detailed  treatment  of  this  logic  the  reader  is  re- 

nlrDe^rtcon[Thll]'  After  presenting  TtPTL  we  will  insider  two  subsystems  denoted 
TVPTL  (connected  TrPTL)  and  TrPTL®  (product  TrPTL).  These  subsystems 
are  obtained  by  placing  suitable  syntactic  restrictions  on  the  formulas.  The  inter- 
estmg  point  is  that  these  restrictions  result  in  proportionate  simplification  of  the 
automata  theoretic  constructions  associated  with  the  logics.  Towards  the  end  of  the 
section  we  will  take  a  quick  look  at  other  temporal  logics  that  have  been  proposed 
with  traces  as  the  underlying  frames. 


Henceforth,  it  will  be  notationally  convenient  to  deal  with  distributed  alphabets 
m  which  the  names  of  the  processes  are  positive  integers.  Through  this  section  and 
the  next,  we  fix  a  distributed  alphabet  E  =  {Ei}i6p  with  V  =  {1,2, . . . ,  K}  and 
>  1.  We  let  i,j  and  k  range  over  V.  As  before,  let  P,Q  range  over  non-empty 
subsets  of  V.  The  trace  alphabet  induced  by  E  is  denoted  (E,  I).  We  assume  the 
terminology  and  notations  developed  in  the  previous  sections.  In  particular  when 
dealing  with  a  P-indexed  family  {Xi}ieF,  we  will  often  write  just  {AT*}. 

The  logic  TrPTL  is  parameterized  by  the  class  of  distributed  alphabets.  Having 
fixed  E  we  shallj>ften  almost  always  write  TrPTL  to  mean  TrPTL(E),  the  logic 
associated  with  E.  Fix  a  set  of  atomic  propositions  AP  with  p,  q  ranging  over  AP. 
Then  $TrPTL(£)’  ^1C  set  °f  formulas  of  TrPTL(E),  is  defined  inductively  via: 


•  For  p  6  AP  and  z  e  P,  p(i)  is  a  formula  (which  is  to  be  read  “p  at  z”). 

•  If  a  and  ft  are  formulas,  so  are  -.a  and  a  V  /?. 

•  If  a  is  a  formula  and  a  6  Ej  then  {a)iCt  is  a  formula. 

•  If  a  and  ft  are  formulas  so  is  a  Uift. 


From  now  on,  we  denote  $XrPTL(g}  as  just  d>.  In  the  semantics  of  the  logic  which 
will  be  based  on  infinite  traces,  the  z-view  of  a  configuration  will  play  a  crucial  role. 
Let  F  e  TBP  with  F  =  {E,  <,  A).  Recall  that  Ei  =  {e  |  e  e  E  and  A(e)  e  E*}.  Let 
c  6  Cf  and  i  e  V.  Then  T(c)  is  the  i-view  of  c  and  it  is  defined  as: 


r(C)  =i{Cc\Ei). 

We  note  that  J ,l(c)  is  also  a  configuration.  It  is  the  “best”  configuration  that 
the^agent  z  is  aware  of  at  c.  We  say  that  |*(c)  is  an  i-local  configuration.  Let 
cf  ~  vl*(c)  I  c  €  CF}  be  the  set  of  z-local  configurations.  For  Q  C  V  and  c  e  CF, 
we  let  [  (c)  denote  the  set  U(T(C)  I  *  €  Q}.  Once  again,  J 9(c)  is  a  configuration. 
It  represents  the  collective  knowledge  of  the  processes  in  Q  about  the  configuration 
c. 

The  following  basic  properties  of  traces  follow  directly  from  the  definitions. 


Proposition  3.1  Let  F  —  (E,  <,  A)  be  an  infinite  trace.  The  following  statements 
hold. 

(i)  Let  <i  =  <  C\(Ei  x  Ei).  Then  (Ei,  <i)  is  a  linear  order  isomorphic  to  w  if 
Ei  is  infinite  and  isomorphic  to  a  finite  initial  segment  of  uj  if  Ei  is  finite. 

(ii)  ( Cp ,  C)  is  a  linear  order.  In  fact  ( CXF  -  {0},  C)  is  isomorphic  to  (Ei,  <*). 

(iii)  Suppose  ll(c)  ^  0  where  c  G  Cp.  Then  there  exists  e  G  Ei  such  that  |l(c)  =je. 
In  fact  e  is  the  <i~maximum  event  in  ( cC)Ei ). 

(iv)  Suppose  Q  C  Qf  C  V  and  c  G  Cp.  Then  j^(c)  (c)).  In  particular , 

for  a  single  process  i,  T(c)  =r(l*(c)). 

We  can  now  present  the  semantics  of  TrPTL.  A  model  is  a  pair  M  ^  ( F ,  {Vi}i€p) 
where  F  =  (E,  <,  A)  G  TRU  and  Vi  :  ClF  — >  2AP  is  a  valuation  function  which  assigns 
a  set  of  atomic  propositions  to  z-  local  configurations  for  each  process  i.  Let  c  G  Cp 
and  a  G  $.  Then  M,c  a  denotes  that  a  is  satisfied  at  c  in  M  and  it  is  defined 
inductively  as  follows: 

•  M,c\=  p(i)  for  p  G  AP  iff  p  G  V  (J,*(c)). 

•  M,  c  |=  -ua  iff  M,  c  a. 

•  M,  c  (=  a  V  (3  iff  M,  c  a  or  M,  c  (3 

•  M,c  \=  ( a)ia  iff  there  exists  e  G  Ei  -  c  such  that  A(e)  =  a  and  M,  |e  |=  a . 
Moreover,  for  every  ef  G  Ei}  ef  <  e  iff  e'  G  c. 

•  M,c  (=  a  Uifi  iff  there  exists  d  G  Cp  such  that  c  C  d  and  M,[i(d)  f3. 

Moreover,  for  every  c"  G  Cp,  if  ^(c)  C  j^c")  C| i(d)  then  M,  | i(c")  |=  a. 

Thus  TrPTL  is  an  action  based  agent-wise  generalization  of  LTL.  Indeed  both 
in  terms  of  its  syntax  and  semantics,  LTL  corresponds  to  the  case  where  there  is 
only  one  agent  and  where  this  agent  can  execute  only  one  action  at  any  time.  With 
V  =  {1}  and  Ei  —  {ao}  one  then  writes  p  instead  of  p(l),  Oa  instead  of  (a0)a  and 
a  Up  instead  of  a  Uip.  The  semantics  of  TrPTL  when  specialized  down  to  this 
case  yields  the  usual  LTL  semantics.  In  the  next  section  we  will  say  more  about 
the  relationship  between  TrPTL  and  LTL. 

Returning  to  TrPTL,  the  assertion  p(i)  says  that  the  i-view  of  c  satisfies  the 
atomic  proposition  p.  Observe  that  we  could  well  have  p(i)  satisfied  at  c  but  not 
p(j)  (with  i  ^  j).  It  is  interesting  to  note  that  all  atomic  assertions  (that  we  know 
of)  concerning  distributed  behaviours  are  local  in  nature.  Indeed,  it  is  well-known 
that  global  atomic  propositions  will  at  once  lead  to  an  undecidable  logic  in  the 
current  setting  [LPRT,  Pen]. 

Suppose  M  —  (F,  {Vi})  is  a  model  and  c  c'  with  j  £  loc(a).  Then 

M,  c  \=  p(j)  iff  M ,  d  |=  p(j).  In  this  sense  the  valuation  functions  are  local.  There 
are,  of  course,  a  number  of  equivalent  ways  of  formulating  this  idea  which  we  will 
not  get  into  here. 

The  assertion  (a)ia  says  that  the  agent  i  will  next  participate  in  an  a-event. 
Moreover,  at  the  resulting  z-view,  the  assertion  a  will  hold.  The  assertion  a  Uip 


says  that  there  is  a  future  z'-view  (including  the  present  z-view)  at  which  (3  will  hold 
and  for  all  the  intermediate  z-views  (if  any)  starting  from  the  current  z-view,  the 
assertion  a  will  hold. 

Before  considering  examples  of  TrPTL  specifications,  we  will  introduce  some 
notation.  We  let  a,/3  with  or  without  subscripts  range  over  <F.  Abusing  notation, 

we  will  use  loc  to  denote  the  map  which  associates  a  set  of  locations  with  each 
formula. 

•  loc(p(0)  =  loc((a)io)  =  loc(a  U/3)  =  {*}. 

•  loc(-ia)  =  loc(a). 

•  loc(a  V  (3)  =  loc(a)  U  loc(/?). 

In  what  follows,  =  {a  |  loc(a)  =  {z}}  is  the  set  of  z-type  formulas.  A  basic 
observation  concerning  the  semantics  of  TrPTL  can  be  phrased  as  follows: 

Proposition  3.2  Let  M  =  ( F ,  {Vi})  be  a  model,  c  €  Cf  and  a  a  formula  such  that 
loc(a)  C  Q.  Then  M,  c  (=  a  iff  M,  }^(c)  (=  a. 

A  corollary  to  this  result  is  that  in  case  ae$'  then  M,  c  |=  a  iff  M,  J,*(c)  f=  a. 
As  a  result,  the  formulas  in  can  be  used  in  exactly  the  same  manner  as  one 
would  use  LTL  (in  the  setting  of  sequences)  to  express  properties  of  the  agent 
z.  Boolean  combinations  of  such  local  assertions  can  be  used  to  capture  various 
interaction  patterns  between  the  agents  implied  by  the  logical  connectives  as  well 
as  the  coordination  enforced  by  the  distributed  alphabet  E. 

For  writing  specifications,  apart  from  the  usual  derived  connectives  of  proposi¬ 
tional  calculus  such  as  A,  ^  and  =,  the  following  operators  are  also  available 

•  T  =  P i(l)  v  ~Ti(l)  denotes  the  constant  “True”,  where  AP  =  {pup2,. . .}. 
We  use  _L  =  — T  to  denote  “False” .  . 

•  OiQ  4  T  UiOL  is  a  local  version  of  the  <0  modality  of  LTL. 

•  Dja  =  -lOj-ia  is  a  local  version  of  the  □  modality  of  LTL.. 

•  Let  W  C  Ei  and  X  =  E,  -  X.  Then  a  Ufp  4  (a  A  Aa€xHi-L)  Utf.  In 
other  words  a  U* (3  is  fulfilled  using  (at  most)  actions  taken  from  X.  We  set 
Of  a  =  T  Ufa  and  =  ->  Of-<a. 

•  a(i)  =  a  Ua  (or  equivalently  ±  Uta).  a(i)  is  to  be  read  as  “ a  at  z”.  If 
M  =  ( F ,  {Fj})  is  a  model  and  c  e  Cf  then  M,  c  (=  a(i)  iff  M,  T(c)  (=  a.  It 
could  of  course  be  the  case  that  ioc(a)  ^  {z}. 

A  simple  but  important  observation  is  that  every  formula  is  a  boolean  combi¬ 
nation  of  formulas  taken  from  (JlC:  p  In  TrPTL  we  can  say  that  a  specific  global 
configuration  is  reachable  from  the  initial  configuration.  Let  {oj be  a  family 
with  a*  €  d>1  for  each  z.  Then  we  can  define  a  derived  connective  C>(qi,  q2,  . . . ,  a/c) 
which  has  the  following  semantics  at  the  empty  configuration.  Let  M  =  (F,  (V)}) 
be  a  model.  Then  M,  0  (=  0(0!,  a2, . .  ■ ,  czfc)  iff  there  exists  c  €  Cf  such  that 
M,  c  |=  au  A  c*2  A  •  •  •  A  aF- 


To  define  this  derived  connective  set  E'x  =  Ei  and,  for  1  <  i  <  K,  set  E^  = 
E i  -  U{Ej  |  1  <  j  <  i}.  Then  0(ai,  a2, . . . ,  a#)  is  the  formula: 

of1  (a i  A  O^2  (a2  A  of 3  (a3  A  •  •  •  aqc))  *  •  •)• 

The  idea  is  that  the  sequence  of  actions  leading  up  to  the  required  configu¬ 
ration  can  be  reordered  so  that  one  first  performs  all  the  actions  in  Ei,  then  all 
the  actions  in  E2  —  Ei  etc.  Hence,  if  now  is  an  atomic  proposition,  the  formula 
0(now(l),  now(2), . . . ,  now(  A))  is  satisfied  at  the  empty  configuration  iff  there  is  a 
reachable  configuration  at  which  all  the  agents  assert  now. 

Dually,  safety  properties  that  hold  at  the  initial  configuration  can  also  be  ex¬ 
pressed.  For  example,  let  crt(z)  be  the  atomic  assertion  declaring  that  the  agent  i 
is  currently  in  its  critical  section.  Then  it  is  possible  to  write  a  formula  <pME  which 
asserts  that  at  all  reachable  configurations  at  most  one  agent  is  in  its  critical  sec¬ 
tion,  thereby  guaranteeing  that  the  system  satisfies  the  mutual  exclusion  property. 
We  omit  the  details  of  how  to  specify  y?ME. 

On  the  other  hand,  it  seems  difficult  to  express  nested  global  and  safety  proper¬ 
ties  in  TVPTL.  This  is  mainly  due  to  the  local  nature  of  the  modalities  which  results 
in  information  about  the  past  sneaking  into  the  semantics  even  though  there  are 
no  explicit  past  operators  in  the  logic.  In  particular,  TrPTL  admits  formulas  that 
are  satisfiable  but  not  root-satisfiable. 

A  formula  a  is  said  to  be  root-satisfiable  iff  there  exists  a  model  M  such  that 
M,  0  [=  a.  On  the  other  hand,  a  is  said  to  be  satisfiable  iff  there  exists  a  model  M  = 
(F,  {Vi})  and  ceCp  such  that  M,  c  (=  a.  It  turns  out  that  these  two  notions  are  not 
equivalent.  Consider  the  distributed  alphabet  Eo  =  {Ei,  E2}  with  Ei  ~  {a,  d}  and 
E2  =  {6,  d}.  Then  it  is  not  difficult  to  verify  that  the  formula  p(2)(l)  A  □2-«p( 2)  is 
satisfiable  but  not  root-satisfiable.  (Recall  that  p(2)(l)  abbreviates  ±Z^ip(2)).  One 
can  however  transform  every  formula  a  into  a  formula  a'  such  that  a  is  satisfiable 
iff  a '  is  root  satisfiable. 

This  follows  from  the  observation  that  every  a  can  be  expressed  as  a  boolean 
combination  of  formulas  taken  from  the  set  U iep®1-  Hence  the  given  formula  a 
can  be  assumed  to  be  of  the  form  a  =  V^Li(aji  A  ctj2  A  •  •  •  A  &jK)  where  aji  6 
for  each  j  €  {1,2,...,  m}  and  each  i  eV.  Now  convert  a  to  the  formula  a!  where 
a!  =  VjLi  0(oyi,  aj2i  •  •  • ,  oijic).  (Recall  the  derived  modality  0(c*i,  a2, . . . ,  ock) 
introduced  earlier.)  From  the  semantics  of  0(ai,a2, . .  ,,a/c)  it  follows  that  a  is 
satisfiable  iff  a f  is  root-satisfiable. 

Hence,  in  principle,  it  suffices  to  consider  only  root-satisfiability  in  developing  a 
decision  procedure  for  TrPTL.  There  is  of  course  a  blow-up  involved  in  converting 
satisfiable  formulas  to  root-satisfiable  formulas.  If  one  wants  to  avoid  this  blow-up 
then  the  decision  procedure  for  checking  root-satisfiability  can  be  suitably  modified 
to  yield  a  direct  decision  procedure  for  checking  satisfiability  as  is  done  in  [Thil]. 
In  any  case,  it  is  root  satisfiability  which  is  of  importance  from  the  standpoint  of 
model  checking.  Hence  here  we  shall  only  develop  a  procedure  for  deciding  if  a 
given  formula  of  TrPTL  is  root-satisfiable. 

As  a  first  step  we  augment  the  syntax  of  our  logic  by  one  more  construct. 

•  If  a  is  a  formula,  so  is  O* a.  In  the  model  M  =  (F,  {V^}),  at  the  configuration 
c  e  Cf,  M,  c  Oia  iff  M,  c  |=  (a)ia  for  some  a  E  E^.  We  also  define 
loc(Ofa)  =  {i}. 


Thus  OiQt  =  Va €Si(a)ia  is  a  valid  formula  and  O*  is  expressible  in  the  former 
syntax.  It  will  be  however  more  efficient  to  admit  Oi  as  a  first  class  modality. 

Fix  a  formula  a0.  Our  aim  is  to  effectively  associate  an  A2- automaton  Aao  with 
ao  such  that  ao  is  root-satisfiable  iff  LTr(Aa 0)  ^  0.  Since  the  emptiness  problem 
for  A2-automata  is  decidable  (Theorem  2.4),  this  will  yield  the  desired  decision 
procedure.  Let  C'L'(ao)  be  the  least  set  of  formulas  containing  a0  which  satisfies: 

•  -«/?  6  CL'(a 0)  implies  / 3  £  CL'(a0). 

•  aV/?  £  CL'(a  o)  implies  a,  (3  £  CL' (a  0). 

•  {a) ia  £  CL'(ao)  implies  a  £  CL'(a 0). 

•  Oia  £  CL' (a 0)  implies  a  £  CL'(a 0). 

•  a  Uif3  £  CL' (a o)  implies  a,/?  E  CL^ao).  In  addition,  O^a  Ui/3)  £  CL' (a o). 

We  then  define  CL(ao)  to  be  the  set  CL'(a0)  U  {-»/ 3  \  j3  £  CL'(a0)}. 

Thus  CL(ao)}  sometimes  called  the  Fisher-Ladner  closure  of  ao?  is  closed  under 
negation  with  the  convention  that  -» ->/?  is  identified  with  (3.  From  now  we  shall 
write  CL  instead  of  CL(a o). 

A  C  CL  is  called  an  i-type  atom  iff  it  satisfies: 

•  Vo  £  CL .  a  £  A  iff  -> a  £  A. 

•  Va  V  (3  £  CL.  a  V  j3  £  A  iff  a  £  A  or  (3  £  A. 

•  Va  Ui(3  £  CL.  a  Ui(3  £  A  iff  (3  £  A  or  (a  £  A  and  0*(a  Ui(3)  £  A). 

•  If  (a)ia,  ( b)if3  £  A  then  a  =  b. 

ATi  denotes  the  set  of  i-type  atoms.  We  now  need  to  define  the  notion  of  a 
formula  in  CL  being  a  member  of  a  collection  of  atoms.  Let  a  £CL  and  {Ai}ieg 
be  a  family  of  atoms  with  loc(a)  C  Q  and  A{  £  AT{  for  each  i  £  Q.  Then  the 
predicate  a  £  {Ai}ieQ  is  defined  inductively  as: 

•  If  loc(a)  =  {j}  then  a  £  {Ai}ieQ  iff  a  £  Aj. 

•  If  a  =  -i/?  then  a  €  {Ai}ieQ  iff  (3  £  {Ai}ieQ. 

•  If  a  =  ai  V  a2  then  ai  V  a2  6  {Ai}i€Q  iff  ai  €  {Ai}ieQ  or  a2  e  {Ai}ieQ. 

The  construction  of  the  A2-automaton  Aa0  is  guided  by  the  construction  due 
to  Vardi  and  Wolper  for  LTL  [VW].  However  in  the  much  richer  setting  of  traces  it 
turns  out  that  one  must  make  crucial  use  of  the  latest  information  that  the  agents 
have  about  each  other  when  defining  the  transitions  of  Aa0  •  It  has  been  shown  by 
Mukund  and  Sohoni  [MS]  that  this  information  can  be  kept  track  of  by  a  deter¬ 
ministic  A2-automaton  whose  size  depends  only  on  E.  (Actually  the  automaton 
described  in  [MS]  operates  over  finite  traces  but  it  is  a  trivial  task  to  convert  it  into 
A2- automaton  having  the  desired  properties).  To  bring  out  the  relevant  properties 
of  this  automaton,  let  F  £  TR“  with  F  =  ( E ,  <,  A).  For  each  subset  Q  of  pro¬ 
cesses,  the  function  latest^  :  Cp  x  V  Q  is  given  by  latestj?Q(c,  j)  =  £  iff  l  is  the 


least  member  of  Q  (under  the  usual  ordering  over  the  integers)  with  the  property 
F(l9(c))  C  P(j/(c))  for  every  q  £  Q.  In  other  words,  among  the  agents  in  Q,  i 
has  the  best  information  about  j  at  c,  with  ties  being  broken  by  the  usual  ordering 
over  integers. 

Theorem  3.3  ([MS])  There  exists  an  effectively  constructible  deterministic  A2- 
automaton  Ar  =  (T5,T)  with  TS  —  ({T*},  {=»a},  Tin)  such  that: 

(i)  Lrr{Ar)  =  TR^. 

(ii)  For  each  Q  =  {ii,i2, . . .  ,  in},  there  exists  an  effectively  computable  function 

gossip q  :  x  Vi2  x  •  •  •  x  r*n  x  V  — ►  Q  such  that  for  every  F  £  TRF ,  every 

c  £  CF  and  every  j  £  V ,  latestj?  g(c,j)  =  gossipgfrfa), . . .  ,7(in),  j)  where 
Pf(c)  ~  7  and  Pf  the  unique  (accepting)  run  of  Ar  over  F. 

Henceforth,  we  refer  to  Ar  as  the  gossip  automaton.  Each  process  in  the  gossip 
automaton  has  2°(K  log^)  local  states,  where  K  =  (P\.  Moreover  the  function 
gossipg  can  be  computed  in  time  which  is  polynomial  in  the  size  of  K. 

Each  i-state  of  the  automaton  Aa 0  will  consist  of  an  i-type  atom  together  with 
an  appropriate  i-state  of  the  gossip  automaton.  Two  additional  component  will  be 
used  to  check  for  liveness  requirements.  One  component  will  take  values  from  the 
set  Ni  =  {0, 1,2,...,  \Ui\}  where  Ui  =  {a  Uifi  \  a  Ui/3  £  CL}.  This  component  will 
be  used  to  ensure  that  all  “until”  requirements  are  met.  The  other  component  will 
take  values  from  the  set  {on, off}.  This  will  be  used  to  detect  when  an  agent  has 
quit. 

The  automaton  Aa0  can  now  be  defined. 

Definition  3.4  Aao  =  (T5,T),  whereTS  =  ({$},{->«},  $n)  andT  =  {(i^,F*)} 
are  defined  as  follows: 

(i)  For  each i ,  Si  =  ATi  X  T*  X  AT*  x  {on ,off}.  Recall  that  is  the  set  ofi-states  of 
the  gossip  automaton  and  Ni  =  {0, 1, 2, . . . ,  \Ui\}  with  Ui  —  {a  Ui(3  \  a  Uifi  £ 
CL}. 

(ii)  Let  says'a  £  Sa  with  sa{i)  =  (A*,  7*, uiyVi)  and  s'a(i)  =  {A'^^u'^v'f)  for  each 
i  £  loc(a).  Then  (sa,s^)  6  — »a  iff  the  following  conditions  are  met 

(1)  (7a,  7a)  £  (recall  that  {=>a}  is  the  family  of  transition  relations  of  the 
gossip  automaton)  where  7a,  7a  €  Ta  such  that  7 a{i)  =  7 i  and  7 £(i)  =  7^ 
for  each  i  £  loc(a). 

(2)  Vi,  j  £  loc(a),  A'  =  At. 

(3)  Vi  £  loc(a)  V(a)ia  £  CL.  ( a)*a  £  Ai  iff  a  £  A 

(4)  Vi  €  loc(a)  VO^a  6  CL.  0{a  £  A{  iff  a  £  A[. 

(5)  Vi  €  loc(a)V(6)4/3  €  CL.  If  (b)ip  £  Ai  then  b^a. 

(6)  Suppose  j  loc(a)  and  (3  £  CL  with  loc(/3)  =  {j}.  Further  sup¬ 
pose  that  ioc(a)  =  {*i,i2,  Then  ft  £  A[  iff  ft  £  Ae  where 

i  =  gossi ploc(a) (7 ij ,  7*2 .  •  •  • .  7i„ ,  j). 


(7)  Let  i  €  loc(a),  Ui  —  {07  Ui(3\,  a2  U%(i 2,  ■  ■  ■ ,  cnni  Ui0ni}.  Then  u \  and  Ui 
are  related  to  each  other  via: 


f  ( «» 

\  Ui, 


+1)  mod  (m+ 1), 


ifUi  =  0  or  f3u.  e  Ai  or  aUi  U^u.  £  Ai 
otherwise 


(8)  For  each  i  6  loc(a),  =  on.  Moreover,  ifv'i  =  off  then  (a)ja  ^  A[  for 
every  i  £  loc(a)  and  every  (a)jQ  £  CL. 

(iii)  Let  s  £  Sp  with  s(i )  =  (Ai,ji,Ui,Vi)  for  every  i.  Then  s  £  Sin  iff  a0  € 
{Ai}iP"p  and  7  £  Fin  where  7  £  r p  satisfies  7 (i)  =  73  /or  every  i.  Further¬ 
more,  Ui  —  0  /or  ewer?/  i.  Finally,  for  every  i,  Vi  =  off  implies  that  (a), a  (f  Ai 
for  every  (a)i a  6  CL. 

(iv)  For  each  i,  Fff  C  Si  is  given  by  Fff  —  {(Ai ,  7*,  17 , 17)  |  tt*  =  0  and  Vi  =  on} 
and  Fi  C  Si  is  given  by  Ft  =  {(Ai, 7*, uh  v,)  \  Vi  =  off}. 

The  automaton  Aao  extends  the  automata  theoretic  construction  for  LTL  de¬ 
scribed  in  [VW]  to  the  setting  of  TYPTL.  The  main  new  feature  is  the  use  of  the 
gossip  automaton  in  step  (ii)(6)  when  dealing  with  formulas  located  at  agents  not 
taking  part  in  the  current  action.  A  detailed  explanation  of  Aan  can  be  found  in 
[ThilJ.  . .  ' 

This  construction  differs  from  the  original  construction  for  TYPTL  presented  in 
[Thil)  in  a  number  of  ways.  Each  S,  in  [ThilJ  was  defined  to  be  ATi  x  AT2  x 

x  ATk  x  Ui  x  (actt ,  act;  ,  stop^  with  U,  as  the  set  of  subsets  of  U,.  The 
acceptance  condition  used  was  AI.  Using  A2,  we  need  just  two  elements  {on, off} 
to  record  when  an  agent  has  quit.  Using  the  counter  Nt  instead  of  U,  leads  to  a 
more  compact  description  of  Aao .  The  significant  improvement,  namely,  replacing 
AT\  x  ATi  x  •  •  •  x  ATk  by  just  ATi  is  due  to  Narayan  Kumar  [Nar].  The  arguments 
described  in  [Thil]  go  through  in  the  present  setting  with  minor  modifications. 
These  arguments  lead  to  the  next  set  of  results. 

Theorem  3.5 

(i)  c*o  is  root-satisfiable  iff  LTr(Ac0)  ^  0. 

(ii)  The  number  of  local  states  of  Aa0  is  bounded  by  2°(max(n>m2  loem))  where 
n  =  |  o0 1  and  m  is  the  number  of  agents  mentioned  in  a0.  Clearly,  m  < 
n.  It  follows  that  the  root-satisfiability  problem  ( and  in  fact  the  satisfiability 
problem)  for  TrPTL  is  solvable  in  time  2 °(max(",n»2  logm)  m) 

The  number  of  local  states  of  each  process  in  Aao  is  determined  by  two  quan¬ 
tities:  the  length  of  ao  and  the  size  of  the  gossip  automaton  Ar-  As  far  as  the  size 
of  Ar  is  concerned,  it  is  easy  to  verify  that  we  need  to  consider  only  those  agents 
in  V  that  are  mentioned  in  loc(ao),  rather  than  all  agents  in  the  system. 

The  model  checking  problem  for_TrPTL  can  be  phrased  as  follows.  A  fi¬ 
nite  state  distributed  program  over  E  is  a  pair  Pr  =  (Apr,Vpr)  where  Apr  = 
{^ar},Sfnr),{(Sr,Sfr)})  is  an  A2-automaton  modelling  the  state  space 


of  Pr  and  Vpr  :  S  — ►  2AP  is  an  interpretation  of  the  atomic  propositions  over  the 
local  states  of  the  program.  (In  this  context,  one  assumes  AP  to  be  a  finite  set.) 

Let  p  be  a  run  of  Apr  over  F  =  (F,  <,  A).  Then  p  induces  the  model  Mp  via 
Vpr  as  follows:  Mp  =  (F,  {V?})  where  for  each  i  and  each  c  G  Cp ,  Vf(ll(c))  = 
Vpr(si)CiP ,  where  s  =  p(c)  and  s*  =  s(i).  Viewing  a  formula  ao  as  a  specification, 
we  say  that  Pr  meets  the  specification  ao — denoted  Pr  j=  ao — if  for  every  F  eTR^ 
and  for  every  run  p  of  Apr  over  F,  it  is  the  case  that  Mpy  0  (=  ao. 

The  model  checking  problem  is  to  determine  whether  Pr  \=  ao-  This  problem 
can  be  solved  by  “intersecting”  the  program  automaton  Apr  with  the  formula  au¬ 
tomaton  A-,ao  to  yield  an  automaton  A  such  that  Lrr(A)  =  LTr{Apr)CLTr{A^ao)  - 
It  turns  out  that  LpriA)  =  0  iff  Pr  |=  ao.  It  is  easy  to  construct  A.  The  only 
point  to  care  of  is  that  the  z-local  states  of  A  should  consist  of  only  those  pairs 
($*,  s')  (where  s*  is  an  Flocal  state  of  Apr  and  s-  =  (A^^n^v^)  is  an  z-local  state 
of  A^a0)  such  that  Vpr{si)  H  AP  =  Ai  0  AP .  The  details  can  be  found  in  [Thil]. 

It  turns  out  that  this  model  checking  problem  has  time  complexity  0(|*4pr|  • 
20(max(n,m2  iogm)-m)j  where  |^4Pr|  is  the  size  of  the  global  state  space  of  the  A2- 
automaton  modelling  the  behaviour  of  the  given  program  Pr  and,  as  before,  n  = 
|ao|  and  m  is  the  number  of  agents  mentioned  in  ao,  where  ao  is  the  specification 
formula. 

We  now  turn  to  two  interesting  sublogics  of  TrPTL.  The  first  is  the  sublogic 
TrPTLcon,  which  consists  of  the  so  called  connected  formulas  of  TrPTL.  We  define 
^ TrPTL  (from  now  on  written  as  $>con)  to  be  the  least  subset  of  <5>  satisfying  the 
following  conditions: 

(i)  p{i)  €  3)Con  for  every  p  €  P  and  every  i  G  V. 

(ii)  If  a,  (3  e  ^>con,  so  are  -i a  and  a  V  /?. 

(iii)  If  a  €  ^con  and  a  G  such  that  loc(a)  C  loc(a)  then  (a)^a  G  $con. 

(iv)  If  a, (3  e  $con  with  loc(a)  —  loc (/?)  =  {i}  then  a  Ui/3  e  $con.  Actually  one 
need  only  demand  that  loc(a),  loc (/?)  C  p|{loc(a)  |  a  G  E^}  but  this  leads  to 
notational  complications  that  we  wish  to  avoid  here. 

(v)  If  a  G  ^con  and  loc(a)  =  {i}  then  Oict  G  $con.  (Once  again  one  needs  to  just 
demand  that  a  C  f){loc(a)  |  a  G  E*}.) 

Connected  formulas  were  first  identified  by  Niebert  and  used  by  Huhn  [Huh]. 
They  have  also  been  independently  identified  by  Ramanujam  [Ram].  Thanks  to  the 
syntactic  restrictions  imposed  on  the  next  state  and  until  formulas,  past  information 
is  not  allowed  to  creep  in.  Indeed  one  can  prove  the  following: 

Proposition  3.6  Let  a  G  3>con.  Then  a  is  satisfiable  iff  a  is  root- satis fiable. 

Yet  another  pleasing  feature  of  TrPTLcon  is  that  the  gossip  automaton  can  be 
eliminated  in  the  construction  of  the  automaton  Aao  whenever  ao  6  4>con.  In  fact 
one  can  do  a  bit  more. 

Let  ao  G  4>con  and  let  CLi  =  CLD&  for  each  i  (recall  that  CL  is  an  abbreviation 
for  CT(ao)).  We  redefine  an  t-type  atom  to  be  a  subset  A  of  CLi  such  that: 


•  V/J  €  cu  p  g  A  iff  -./?  £  A. 

•  VaV  (3  £  CLi.  aV  P  e  A  iff  a  e  A  or  p  e  A. 

•  Va  G  CLi  a  W*/?  GAiff/?GAoraGA  and  0;(a  Uip)  e  A. 

As  before  (but  with  the  new  definition  in  operation!),  ATi  is  the  set  of  i-type 
atoms. 

Let  a  G  CL  with  loc(a)  C  Q.  The  notion  of  a  belonging  to  a  family  of  atoms 
with  Ai  G  ATi  for  each  i  G  Q,  is  defined  inductively  in  the  obvious  way — if 
loc(a)  =  {*}  then  a  g  {Ai}ieQ  iff  a  G  Ai  etc.  etc.  The  construction  of  Aa0  is  as 
specified  in  Definition  3.4  with  the  following  modifications: 

(i)  Si  —  ATi  x  NiX  {on, off}  for  each  i  g  V.  Thus  the  gossip  automaton  is 
eliminated  and  ATi  is  the  set  of  i-type  atoms  of  the  new  kind. 

(ii)  (1)  This  condition  is  obviously  dropped. 

(2)  Interestingly  enough,  this  condition  is  also  dropped. 

(3)  This  condition  is  modified  to  V(a)ia  G  G  Ai  iff  a  G  {A' }^loc(a). 

In  addition,  condition  (ii)(6)  is  dropped,  while  conditions  (ii)(4),  (ii)(5),  (ii)(7) 
and  (ii)(8)  remain  unchanged.  Parts  (iii)  and  (iv)  are  modified  to  eliminate  all 
references  to  the  gossip  automaton.  After  these  alterations,  it  is  not  difficult  to 
prove  the  following  result. 

Theorem  3.7  Let  ao  G  <£con  and  Aao  be  constructed  as  detailed  above. 

(i)  a0  is  satisfiable  Ltv(A*o)  ^  0- 

(ii)  The  satisfiability  problem  for  TrPTLcon  is  solvable  in  time 

Once  again,  a  suitably  modified  statement  can  be  made  about  the  associated 
model  checking  problem.  At  present  we  do  not  know  whether  or  not  TrPTL  is 
strictly  more  expressive  than  TrPTLcon.  We  shall  formulate  this  question  more 
rigorously  in  the  next  section. 

Yet  another  sublogic  of  TrPTL  is  called  product  TrPTL  and  is  denoted  as 
TrPTL0.  Let  <J>0,  the  set  of  formulas  of  TrPTL0,  be  the  least  subset  of  $  which 
satisfies: 

(i)  p{i)  G  $0  for  every  p  G  P  and  every  i  e  V. 

(ii)  If  a,  p  G  $0  then  so  are  -ia  and  a  V  p. 

(iii)  If  a  G  3>0  with  loc(a)  =  {i}  and  a  G  £*  then  (a)<a  G  $0. 

(iv)  If  a,  p  G  $0  with  loc(a)  =  \oc(p)  =  {i}  then  a  Uip  G  3>0. 

Clearly  <t>0  C  $>con  C  <I>.  In  case  ao  6  $0,  the  automaton  Aa0  can  be  simplified 

even  further  (than  the  case  when  ao  G  $con).  Aao  essentially  consists  of  a  synchro¬ 
nized  product  of  Biichi  automata.  A  detailed  treatment  of  TrPTL0  is  provided  in 
[Thi2].  The  interest  in  this  subsystem  lies  in  the  fact  that  the  accompanying  pro¬ 
gram  model  is  particularly  simple  and  commonplace.  Namely,  it  consists  of  a  fixed 


set  of  finite  state  transition  systems  that  coordinate  their  behaviour  by  performing 
common  actions  together.  Here  we  shall  just  sketch  the  construction  for  Aao- 

A  product  Biichi  automaton  over  E  is  a  structure  A  =  ({TSi}iep,  Sin,  T)  where 
TSi  =  for  each  i  with  — n  C  Si  x  E*  x  Si  as  the  local  transition  relation 

of  the  agent  i.  Everything  else  is  as  in  the  definition  of  an  A2-automaton.  Thus 
the  key  difference  is  that  each  agent  comes  with  its  own  local  transition  relation. 
From  these  agent  transition  relations,  one  can  derive  the  action  indexed  transition 
relations  {— >a}  as  follows:  (sa,s^)  €  — >a  iff  sa(i)  s^(z)  for  every  i  G  loc(a). 
Thus  product  Biichi  automata  are  a  (strict)  subclass  of  the  class  of  A2-automata. 

Given  ao  G  the  construction  of  Aa0  proceeds  as  in  the  case  where  ao  6  $con. 
The  only  difference  is,  we  must  define  the  transition  relations  {-+i}izp  instead  of 
the  transition  relations  {-^a}aeE*  This  can  be  done  as  follows: 

Let  Si,  G  Si  with  Si  =  (Ai,Ui,Vi)  and  s \  =  (A^u^vl).  Let  a  G  Ei.  Then 
Si  s'  iff  the  following  conditions  are  satisfied: 

(i)  V(a)ia  G  CL.  {oi)iOL  G  Ai  iff  a  G  A 

(ii)  VOia  G  CL.  Oia  G  Ai  iff  a  G  A'. 

(iii)  If  (6)»a  G  Ai  then  b  =  a. 

(iv)  Ui  and  u\  are  related  to  each  other  just  as  in  part  (ii)(7)  of  Definition  3.4. 

(v)  Vi  and  v[  satisfy  part  (ii)(8)  of  Definition  3.4. 

As  shown  in  [Thi2]  one  can  establish  the  following  result  for  TYPTL®. 
Theorem  3.8  Let  ao  G  and  Aa0  be  constructed  as  above. 

(i)  ao  is  satisfiable  iff  LTr{A&0)  ^  0. 

(ii)  The  satisfiability  problem  for  TrPTL ®  can  be  solved  in  time  2°CIQf°l). 

Once  again,  one  can  make  suitably  modified  statements  about  the  accompanying 
model  checking  problem.  As  mentioned  earlier,  the  program  model  in  this  setting 
consists  of  a  fixed  set  (one  for  each  i)  of  finite  state  transition  systems. 

We  conclude  this  section  with  a  quick  look  at  some  related  logics.  Katz  and 
Peled  introduced  the  logic  ISTL  [KP]  which  can  be  easily  viewed  as  a  temporal  logic 
over  traces.  However,  it  has  branching  time  modalities  which  permit  quantification 
over  the  so  called  observations  of  a  trace.  ISTL  uses  global  atomic  propositions 
rather  than  local  atomic  propositions.  Penczek  has  also  studied  a  number  of  tem¬ 
poral  logics  (including  a  version  of  ISTL)  with  branching  time  modalities  and  global 
atomic  propositions  [Pen] .  His  logics  are  interpreted  directly  over  the  space  of  con¬ 
figurations  of  a  trace  resulting  in  a  variety  of  axiomatizations  and  undecidability 
results.  We  feel  that  local  atomic  propositions  (as  used  in  TrPTL)  are  crucial  for 
obtaining  tractable  partial  order  based  temporal  logics.  Niebert  has  considered  a 
/i-calcuius  version  of  TrPTL  [Nie]  and  has  obtained  a  decidability  result  using  a 
variant  of  asynchronous  Biichi  automata.  Since  this  logic  uses  “local”  fixed  points, 
it  is  not  clear  at  present  what  is  the  expressive  power  of  this  logic.  The  four  linear 
time  temporal  logics  studied  by  Ramanujam  in  a  closely  related  setting  [Ram]  can 


be  easily  captured  as  four  sublogics  of  TrPTL  through  purely  syntactic  restrictions. 
Two  of  the  resulting  sublogics  are  TrPTL®  and  TrPTLcon.  It  is  not  clear  at  present 
whether  the  other  two  logics  admit  a  simpler  treatment  in  terms  of  asynchronous 
Buchi  automata  (than  the  one  for  TrPTL). 

The  temporal  logic  of  causality  (TLC)  proposed  by  Alur,  Peled  and  Penczek 
is  basically  a  temporal  logic  over  traces  [APP].  The  concurrent  structures  used  in 
[APP]  as  frames  for  TLC  can  be  easily  represented  as  traces  over  an  appropriately 
chosen  trace  alphabet.  The  interesting  feature  of  TLC  is  that  its  branching  time 
modalities  are  interpreted  over  causal  paths.  In  a  trace  (E,  <,A),  the  sequence 
eoei  •  •  ■  €  E°°  is  a  causal  path  if  eo  <  <  ei  •  *  ••  This  logic  is  almost  certainly  not 

expressible  within  the  first  order  theory  of  traces  although  it  admits  an  elementary 
time  (in  fact  essentially  exponential  time)  decision  procedure. 

Finally,  Ebinger  has  also  proposed  a  linear  time  temporal  logic  to  be  interpreted 
over  traces  [Ebi].  An  interesting  property  of  this  logic  is  that  when  its  frames 
are  restricted  to  be  finite  traces  then  it  is  exactly  equivalent  to  the  first  order 
theory  of  finite  traces.  Unfortunately  the  decidability  of  this  logic  is  settled  using  a 
translation  into  the  first  order  theory  of  infinite  traces.  Hence  the  decision  procedure 
has  non-elementary  time  complexity. 


4  Expressiveness  Issues 

Our  main  aim  here  is  to  show  that  TrPTL  is  expressible  within  the  first  order 
theory  of  traces.  In  order  to  simplify  the  presentation,  we  shall  eliminate  atomic 
propositions  and  instead  use  the  single  constant  T  standing  for  “True”  (and  X  =  ->T 
standing  for  “False”).  The  resulting  logic  will  also  be  called  TrPTL  accompanied 
by  the  notations  and  terminology  developed  in  the  previous  section.  The  function 
loc  which  assigns  a  set  of  processes  to  a  formula  works  exactly  as  before  except 
that  we  start  with  loc(T)  =  0.  As  will  be  seen  later,  this  will  entail  minor  changes 
in  the  definition  of  the  syntax  of  TrPTLcon  and  TrPTL®.  For  now,  we  repeat  that 
the  syntax  of  the  set  of  formulas  of  TrPTL  is  now  given  by: 

T  |  |  a  V  f3  |  ( a)iOt  \  a  Uifi. 

As  before,  for  ( a)* a  to  be  a  formula  we  require  a  6  E i.  Local  atomic  propositions 
can  be  coded  up  into  the  actions  and  hence  their  elimination  does  not  result  in  loss 
of  expressive  power. 

A  model  is  just  an  infinite  trace  F  e  TRF .  We  set  F,  c  f=  T  for  every  c  e  Cf- 
The  rest  of  the  semantics  is  as  before.  La,  the  w-trace  language  defined  by  the 
formula  a  is  given  by,  La  =  {F  |  F  €  TRF  and  F,  0  (=  a}.  We  say  that  L  C  TR u 
is  TrPTL-definable  iff  there  exists  such  that  L  =  La. 

First  we  shall  compare  the  expressive  powers  of  TrPTL,  TrPTLcon  and  TrPTL®. 
In  order  to  do  so,  we  must  define  the  syntax  of  the  two  sublogics  in  the  present 
setting.  For  TrPTLcon  the  only  changes  that  are  required  are: 

•  T  <E  $con. 

•  If  a,  (3  e  3>con  such  that  loc(a),  loc(fi)  C  {i}  then  a  Ui(3  €  3>con. 

For  TrPTL®,  the  only  changes  that  are  required  are 


•  TG^. 

•  If  a  6  <L®  such  that  loc(a)  C  {i}  and  if  a  G  E*  then  (a)***  €  $®. 

•  If  a,  G  $®  with  loc(a),  loc(/3)  C  {i}  then  a  !£/?  G  $(®. 

The  notion  of  L  CTRU  being  TrPTLcon-definable  or  TrPTL®-definable  is  for¬ 
mulated  in  the  obvious  way.  Since  C  3>con  C  $  it  is  clear  that  TrPTL  is  at  least 
as  expressive  as  TrPTLcon  which  in  turn  is  at  least  as  expressive  as  TrPTL®.  As 
mentioned  earlier  we  do  not  know  at  present  if  TrPTL  is  strictly  more  expressive 
than  TrPTLcon,  though  we  conjecture  that  this  the  case. 

We  do  know  however  that  TrPTLcon  is  strictly  more  expressive  than  TrPTL®. 
To  illustrate  this  it  will  be  convenient  to  extend  the  notion  of  definability  to  subsets 
of  E".  We  say  that  L  C  is  TrPTL-definable  iff  L  is  /-consistent  and  {str(cr)  | 
a  G  L]  is  TrPTL-definable.  This  notion  is  defined  for  TrPTLcon  and  TrPTL®  in 
the  obvious  way.  Hence  in  order  to  show  that  TrPTLcon  is  more  expressive  than 
TrPTL®  it  suffices  to  exhibit  some  LCEW  which  is  /- consistent  and  is  TrPTLcon- 
definable  but  not  TVPTL®-definable. 

Let  T  =  {Ti,  r2 }  with  Ti  =  {a,  a',  d }  and  r2  =  {b,  d }.  Let  T  =  {a,  a',  b ,  6',  d}. 
Consider  icrw  given  by: 

L  —  (d(ab  +  6a  T  o!bf  +  bfa')Y . 

It  turns  out  that  L  is  not  TrPTL^-definable.  Clearly  L  is  /-consistent.  As  shown  in 
[Thi2],  for  L  to  be  TrPTL® -definable,  it  must  be  a  so-called  (synchronized)  product 
language.  As  a  result,  it  would  have  to  possess  the  following  property: 

(PR)  Suppose  a  G  rw.  Then  a  G  L  iff  there  exist  <71,02  G  L  such  that  <r  |Ti  = 
<7i  \Ti  and  a  |r2  =  cr2  |T2. 

Now  let  a  =  (dab')”,  o\  —  ( dab )w  and  <x2  —  (ddb'Y  .  Clearly  a  \T\  =  <7i  \T\ 
and  <7  tr2  =  cr2  |r2.  Since  cr1?  cr2  G  L,  this  implies  that  cr  g  L  which  it  is  not.  Hence 
L  cannot  be  a  product  language  and  therefore  is  not  TYPTL®-definable.  On  the 
other  hand,  it  is  a  simple  exercise  to  come  up  with  a  formula  a  G  3>con  such  that 
(str(cr)  |  cr  G  L}  =  La. 

We  now  turn  to  F0(£),  the  first  order  theory  of  infinite  traces  over  E.  One 
starts  with  a  countable  set  of  individual  variables  X  ~  {xo,  xi, . . .}  with  x,  y,  z  with 
or  without  subscripts  ranging  over  X .  For  each  a  G  E  there  is  a  unary  predicate 
symbol  Ra.  There  is  also  a  binary  predicate  symbol  <. 

Ra(x)  and  x  <  y  are  atomic  formulas.  If  and  <pf  are  formulas,  so  are  -i <p, 
tpV  ip'  and  (3x)<p.  The  structures  for  this  first  order  theory  are  elements  of  TRU. 
Let  F  G  TR y  with  F  =  (E,  <,  A)  and  let  I  :  X  — »  E  be  an  interpretation.  Then 
F\=z°Ra{x)  iff  A(I(x))  =  a  and  F  \=x°  x  <  V  iff  Z(x)  <  Z(y)-  The  remaining 
semantic  definitions  go  along  the  expected  lines.  Each  sentence  (i.e.,  a  formula 
with  no  free  occurrences  of  variables)  defines  the  u- trace  language  L<p  =  {F  | 
F  hFO  vY 

We  say  that  L  C  TR "  is  PO-definable  iff  there  exists  a  sentence  <p  in  FO(E) 
such  that  L  —  Lv  As  before  we  will  say  that  L  C  TF  is  FO-definable  iff  L  is 
/-consistent  and  {str(cr)  |  a  G  L}  is  FO-definable. 


Using  the  fact  that  LTL  has  the  same  expressive  power  as  the  first  order  theory  of 
sequences,  one  can  show  that  L  C  Ew  is  FO-definable  iff  it  is  /-consistent  and  LTL- 
definable  [EM].  It  will  be  worthwhile  to  pin  down  the  notion  of  LTL-definability. 
In  the  current  setting,  remembering  that  (E,  I)  is  the  trace  alphabet  induced  by  E, 
we  define  the  syntax  of  the  logic  LTL(E)  as  follows: 

LTL(E)  T  |  -ia  |  a  V  /?  |  (a)a  \  a  Uf3 . 

A  model  is  a  infinite  word  a.  For  a  e  Ew  and  n  G  w,  the  notion  of  a  G  LTL(E) 

being  satisfied  at  stage  n  is  denoted  by  cr,n  a.  This  satisfaction  relation  is 
defined  in  the  usual  manner.  The  only  point  of  interest  might  be  that  <r,n  \=  { a)a 
iff  cr(n+l)  =  a  and  cr,n+l  |=  a.  We  say  that  L  C  Ew  is  LTL-definable  iff  there 

exists  a  G  LTL(E)  such  L  —  La  where  La  =  {a  G  Ew  |  a,  0  (=  a}. 

The  result  in  [EM]  relating  FO-definable  subsets  of  TRW  and  LTL-definable 
subsets  of  Ew  can  now  be  phrased  as  follows. 

Proposition  4.1  Let  L  C  Ew.  Then,  the  following  statements  are  equivalent. 

(i)  L  is  I -consistent  and  LTL-definable. 

(ii)  {str(cr)  |  a  G  L}  is  an  FO-definable  subset  ofTRF. 

We  now  wish  to  concentrate  on  showing  that  TrPTL  is  expressible  within  the 
first  order  theory  of  infinite  traces. 

To  show  this,  we  will  freely  use  the  standard  derived  connectives  of  Propositional 
Calculus,  together  with  universal  quantification  and  abbreviations  such  as  x  =  y 
for  (x  <  y)  A  (y  <  x),  x  <  y  <  z  for  (x  <  y)  A  (y  <  z)  etc. 

An  event  e  is  an  z-event  iff  A(e)  G  E*.  With  this  in  mind,  we  let  x  G  Ei 
stand  for  the  formula  V ae£;  Ra(x) •  The  key  to  the  result  we  are  after  is  the 
observation  that  configurations  of  a  trace  can  be  described  using  predicates  of 
bounded  dimension.  In  what  follows  we  let  Q,Q',Q"  range  over  the  non-empty 
subsets  of  V.  For  Q  =  {zi,Z2,  ••  •  ,*n},  the  formula  config({xi}ieg)  is  defined  as: 

config({xi}ieg)  =  (<pt  A  <p2  A  y>3),  where 
Tl  AiGQ  ^ 

^2  A itj  A  Ra{%j))  X{  =  Xj , 

^3  =  A ij(Vy)  (y  €  Ej  a  y  <  ®<)  =>  y  <  xj. 

We  can  now  write  down  a  formula  describing  prime  configurations — recall  that  a 
prime  configuration  is  one  of  the  form  je,  where  e  G  E.  Let  loc(a)  C  Q.  Then  the 
formula  primea({xi}iGg)  is  defined  as 

config({xi}i6Q)  A  y\  /\  Ra(Xi)  A  (x,  <  xt). 

iGloc(a)  j€Q— loc(a) 

A  careful  examination  of  this  formula  along  with  the  basic  properties  of  traces 
at  once  leads  to  the  next  result. 

Proposition  4.2  Let  F  =  (F,  <,  A)  G  TR“  and  letl  :  X  -+  E  be  an  interpreta¬ 
tion.  Then  F  |^j0  primea({xi}iGg)  iff  there  exists  an  a-event  e  such  that  for  each 
j  G  Q,  T(xj)  is  the  <j-maximum  event  in  [eDEj  and  for  each  j  £  Q ,  |e D Ej  =  0. 


For  each  a  €  $  we  now  define  the  sentence  Sat(0,  a)  and  the  set  of  formulas 
{SAT({xj}jeg,  a)  |  {xi}j6g  C  X  and  0  /  Q  C  V}  through  simultaneous  induction 
as  follows: 

•  Sat(0,T)  =  SAT({xj}igQ, T)  =  (3x)  x  =  x. 


•  Sat(0,  ->a)  =  -iSat(0,  a). 

SAT({xi}i6Q,  ->a)  =  ->SAT({xj  }ieQ,  a). 


•  Sat(0,  aV  0)  =  Sat(0,  a)  V  Sat(0,  0). 

SAT({xj}igQ,  «  V  /?)  =  Sat({x* }i6g,  a)  V  SAT{{xi}ieQ>0). 


•  SAT(0,  (a)jO.)  =  VQDloc(a)(3a:n  -  3xi2,  •  •  • ,  3xin )  91  A  92  A  93 
where  Q  =  {ii ,  ii , . . . ,  in)  and 

91  =  prime0({xi}i6Q), 

92  =  SAT({xi}jgQ,  a), 

<Ps  -  (Vy)  (y  €  Ej  A  y  <  Xj)  =>y  =  Xj. 

SAT({xi}ieg,  (a)j-a)  is  defined  according  to  two  cases. 

Case  1  j  <£  Q:  SAT({xi}i€Q,  {a)ja)  =  Sat(0,  (a)ja). 

Case  2  j  €  Q 

SAT({xi}*6Q,  \a)jOt)  =  VQOioc(a)(3yfci-3yfc2>-  •  -3 Vk„)  9i  A  92  A  93 
where  Q'  =  {fci, k-x,..., kn}  and  { yk}keQ '  is  disjoint  from  {xi}i6g  and 

91  =  primea({yfc}fc6g/), 

92  =  SAT({t/fc}fcgQ/,  a), 

<P3  =  Vy  (ye  Ej  =>  {y  <  yj  y  <  x^). 


•  Sat(0,  a  Uj0)  =  Sat(0,  0)  V  (Sat(0,  a)  A  Sat(0,  Va6S .  (a)ja  Uj0)). 
SAT({xj}ieg,  a  Uj0)  is  defined  according  to  two  cases. 

Case  1  j  &  Q:  SAT({xi}iGg,  a  Uj0)  =  Sat(0,  a  Uj0). 

Case  2  j  €  Q: 

Sat {{xi}i€Q,aUj0)  =  \/aeEj.  Vgoioc(a)(3yfci»3yt2, •  •  -3 ykn)  91A92A93A94 
where  Q'  =  {fci, , . . . ,  kn]  and  {ykjkeQ1  is  disjoint  from  {xj}i6g  and 

91  =  primea({yfc}fc6g-), 

<P2  =  Xj<yj, 

93  =  SAT({2/fc}fc6g',/3), 

94  =  Vz(z  €  Ej  A  Xj  <  z  <  yj)  =>  94. 


where  <p'4  —  V„eE,  Vq"dioc(o)(3^i  >  ^ze2 ,  ■  ■  ■ ,  3 zem)  < p'41  A  tp42  A  ip43 

with  Q"  =  {^,^2,...  >An}  and  {zi}z^Q»  disjoint  from  both  {a?i}ieg  and 
{VkjkeQ'  and 

Vai  =  prime0({2*}/€Q,,), 

¥>42  =  (*  =  Zj), 

^43  =  SAT({^}^eg//,  a). 


Let  /  be  the  map  which  sends  each  formula  in  $  to  a  sentence  in  FO(Y)  via 
f{a)  =  Sat(0,  a).  Using  the  previous  proposition  and  the  semantics  of  TrPTL,  it 
is  not  difficult  to  prove  the  following: 

Theorem  4.3 

(i)  For  every  F  £  TRF,  F,0  |=  a  iff  F  (=FO  /(a). 

(ii)  If  L  C  TRF  is  TrPTL  definable  then  it  is  also  FO(Y,) -definable. 

As  mentioned  earlier  we  do  not  know  at  present  ifJTrPTL  is  expressively  com¬ 
plete  —  i.e.,  whether  every  L  C  TR“  which  is  FO(£)- definable  is  also  TrPTL- 
definable.  Clearly  from  Proposition  4.1  it  follows  that  the  expressive  completeness 
of  TrPTL  can  be  characterized  as  follows: 

Corollary  4.4  The  following  statements  are  equivalent: 

(i)  TrPTL  is  expressively  complete. 

(ii)  For  every  L  C  YF ,  if  L  is  I-consistent  and  L  is  LTL-definable  then  L  is 
TrPTL  definable. 

We  believe  that  TrPTL  is  not  expressively  complete.  This  leads  to  the  following 
question:  What  is  the  linear  time  temporal  logic  of  infinite  traces?  Such  a  logic 
should  possess  the  following  properties: 

(TR1)  It  should  be  expressively  complete. 

(TR2)  It  should  admit  a  decision  procedure  (preferably  in  terms  of  asynchronous 
Biichi  automata)  whose  time  complexity  is  2p(n,m)  where  n  is  the  size  of  the 
input  formula,  m  =  |E|  and  p  is  a  (low  degree)  polynomial  in  n  and  m. 

(TR3)  It  should  be  possible  to  transparently  express  global  liveness  and  safety 
properties  in  the  logic. 

It  is  worth  noting  that  TrPTL  and  most  of  the  decidable  temporal  logics  over 
traces  mentioned  earlier  such  as  [Nie]  and  [APP]  cannot  express  all  global  invariant 
properties.  The  somewhat  awkward  semantics  of  the  logic  in  [Ebi]  also  makes  it 
event-based  and  hence  not  suitable  for  expressing  invariant  properties.  However 
we  believe  that  it  should  be  possible  to  define  a  logic  with  a  variant  of  the  until 
operator  defined  in  [Ebi]  which  will  be  able  to  capture  global  liveness  and  safety 
properties  in  a  straightforward  manner. 


Any  linear  time  temporal  logic  over  traces  which  fulfills  the  properties  (TR1)- 
(TR3)  will  be  a  very  useful  specification  tool.  In  particular  it  will  exactly  capture 
properties  that  are  expressible  by  /-consistent  formulas  in  LTL — ( a  e  LTL(E)  is 
/-consistent  iff  La  is  /-consistent).  This  is  important  because  it  is  such  properties 
which  can  be  verified  efficiently  using  partial  order  based  verification  methods  [GW, 
Val). 


5  Conclusion 

In  this  paper  we  have  considered  linear  time  temporal  logics  over  traces.  Our 
emphasis  has  been  on  TrPTL  and  its  two  sublogics  TrPTLcon,  TVPTL®.  The  choice 
of  these  logics  has  been  mainly  motivated  by  the  fact  that  they  are  expressible 
within  the  first  order  theory  of  traces  and  the  fact  that  they  can  be  studied  using 
asynchronous  Biichi  automata. 

Our  formulation  of  asynchronous  Biichi  automata  in  terms  of  the  acceptance 
condition  A2  appears  to  be  particularly  suited  for  logical  studies.  The  present 
constructions  are  much  more  compact  and  transparent  than  the  ones  in  [Thil] 
which  used  A1  as  the  acceptance  condition.  We  feel  that,  in  the  future,  alternating 
versions  of  our  automata  will  play  an  important  role  in  the  study  of  temporal  logics 
over  traces. 

As  we  have  mentioned  a  number  of  times,  an  important  open  problem  is  to  pin 
down  a  linear  time  temporal  logic  for  traces  (assuming  it  exists!)  which  will  fulfill 
the  properties  set  out  in  the  previous  section.  A  solution  to  this  problem  will  at 
once  open  up  the  possibility  of  investigating  branching  time  temporal  logics  where 
path  quantification  is  over  traces. 
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A  solution  of  an  interleaving  decision  problem 
by  a  partial  order  technique 


Albert  R.  Meyer*  Alexander  Rabinovich* 


1  Introduction 

1.1  Interleaving  versus  partial  order  semantics 

Approaches  to  the  semantics  of  concurrent  systems  may  be  divided  into  two  main 
groups:  interleaving  and  partial  order.  In  the  interleaving  approach,  only  the  tem¬ 
poral  behavior  of  the  events  of  a  run  is  observable;  in  the  partial  order  approach, 
‘causal  dependency’  between  events  are  considered. 

The  supporters  of  the  interleaving  approach  argue  that 

1.  Specifications  of  concurrent  systems  always  refer  only  to  the  temporal  behav¬ 
ior  and  ignore  causal  behavior. 

2.  Interleaving  semantics  are  technically  much  simpler  than  partial  order  seman¬ 
tics. 

Supporters  of  the  partial  order  approach  argue  that  this  approach  gives  a  better 
account  of  the  activity  of  a  concurrent  system.  However,  in  view  of  (1),  it  is  difficult 
to  convince  a  researcher  of  interleaving  semantics  that  casual  aspects  are  important. 

Another  argument  in  favor  of  partial  order  semantics  appeals  to  partial  order  heuris¬ 
tics  for  verification  of  interleaving  behavior.  Recently  a  number  of  such  heuristics 
were  suggested  and  in  several  case  studies  it  was  empirically  demonstrated  that 
these  heuristics  were  efficient  (see  recent  Proceedings  of  CONCUR  and  CAV).  How¬ 
ever,  the  partial  order  heuristics  do  not  improve  the  complexity  of  verification. 

In  our  paper  another  argument  in  favor  of  partial  order  semantics  is  provided.  We 
consider  a  decision  problem  which  is  formulated  in  terms  of  interleaving  semantics. 
The  decision  algorithm  will  be  given  in  interleaving  terms.  However,  we  devel¬ 
oped  and  proved  the  correctness  of  the  algorithm  by  appealing  to  a  partial  order 
semantics. 
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This  situation  is  similar  with  a  situation  which  often  occur  in  mathematics.  For 
example,  to  find  real  valued  functions  that  solve  a  linear  differential  equation  we 
solve  it  over  the  complex  numbers.  Similarly,  if  one  believes  that  only  interleaving 
behavior  is  real  he  may  gain  by  considering  casual  semantics. 


1.2  Summary  of  our  results 

In  this  paper  we  consider  the  following 

Decision  problem:  Given  expressions  E \  and  Eo  constructed  from  variables  by 
the  regular  operations  and  shuffle.  Is  identity  E\  =  Eo  true  for  all  instantiation  of 
its  variables  by  formal  languages? 

For  example,  the  identity  (A'*V'*)*  =  (A'  +  Y)m  is  true  because  for  all  languages  L{ 
and  Li,  the  languages  (IJI?)*  and  (L i  +  L^Y  are  the  same. 

The  above  identity  contains  only  regular  operations:  concatenation,  union  and  iter¬ 
ation.  An  easy  ‘folk’  theorem  [3]  show’s  that  the  validity  of  an  identity  over  regular 
operations  can  be  verified  by  instantiating  the  language  variables  as  single  letters. 
For  example,  in  order  to  check  the  validity  of  (A'“V'*)*  =  (A'  +  V')*  we  instantiate 
the  variables  X  and  Y  by  a  single  letters  a  and  6  and  verify  that  (ambmy  =  (a -hi)*. 
Checking  this  variable-free  identity  is  a  routine  matter  of  checking  equivalence  of 
finite  state  automata. 

In  concurrency  a  very  important  role  is  played  by  parallel  composition  operators. 
The  simplest  of  these  operator  is  non-communicating  parallel  connective  ||,  corre¬ 
sponding  to  shuffle  of  languages.  The  above  folk  theorem  fails  for  the  expressions 
containing  shuffle.  For,  example  for  single  letters  a  and  6,  the  languages  a||6  and 
ab  +  ba  are  the  same.  However,  the  identity  A'||Y'  =  XY  -h  YX  is  not  true  (indeed, 
instantiate  AT  by  a  and  Y  by  6c). 

An  algorithm  for  the  valid  identity  problem  is  provided  in  this  paper.  In  order  to 
check  the  validity  of  an  identity  Ex(X\,  . . A*)  =  E2(A‘i,  . .  .,AT*)  we  will  specify 
(see  Theorem  3)  finite  languages  (the  languages  depends  on  E\  and 

E2)  such  that  the  identity  is  valid  iff  the  variable-free  identity  obtained  through 
instantiation  of  X\ , . . . ,  AT*  by  L\ , . . . ,  £*  is  true.  Checking  this  last  variable-free 
identity  is  reduced  to  the  checking  of  language  equivalence  of  finite  state  automata. 


2  Shuffle  Regular  Expressions 

We  presuppose  two  fixed  infinite  sets 

.4cl  =  {a,  a, ....  6,  b\ , . . .}  the  actions 
Var  =  {X,  A'i , . . .  V',  Yi, . . .}  the  variable  symbols. 

Shuffle  regular  expressions  are  defined  by  the  following  grammar: 

E  x  |  e  |  E  +  E  |  E;  E  |  E\\E  |  £*,  where  x  ranges  over  alphabet  Var  of 
variable  symbols  and,  c  ranges  over  alphabet  Act  of  constant  symbols. 
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I  a]<r={a} 

[xJ<T  =  <T(X) 

[Ei  +  Eo]<7  =  Union  of  (EiJ<r  and  [E?\<Jrom 
[Ei;  Eojcr  =  Concatenation  of  [Eijcr  and  [E2]<Tpom 
[Ei||E->1(T  =  Shuffle  of  [Eil<r  and  (Ej \<r 
[EI  J<T  =  ( |Ej<r  )“ 

Figure  1:  Definition  of  [E]<r 


We  denote  by  FVar(E)  the  set  of  variables  which  occur  in  E. 

We  say  that  E  is  a  variable  free  expression  if  FV'ar(E)  =  0. 

We  use  notation  E{Ei/X\  . .  .  En/A'„}  for  the  expression  obtained  from  E  by  si¬ 
multaneous  substitution  of  E,  for  A \.  We  use  £,n=1  E,  as  an  abbreviation  for  for 
El  +  En  +  •  •  •  +  E„. 

A  string  is  a  finite  sequence  of  actions;  we  use  w ,  u  to  range  over  strings.  A  string 
language  is  a  set  of  strings;  we  use  L  to  range  over  string  languages. 

The  operations  sum,  concatenation,  iteration  and  shuffle  are  defined  in  a  standard 
way  on  the  string  languages. 

We  recall  that  a  string  w  belongs  to  the  shuffle  of  languages  L\  and  £2  if 
w  =  W1U1V2U2  . .  .wicUk  where  u;iu>2  • .  •  tut  €  £1  and  U1U2  . . . u*  €  £2- 

A  string  language  environment  for  {A'i . . .  ATn}  is  a  function  which  assigns  to  A’,  a 
string  language.  For  an  expression  E  and  a  string  language  environment  <r  for  a 
set  that  contains  the  free  variables  of  E,  the  string  language  [E]<r  is  assigned  in  a 
standard  way  by  structural  induction  on  the  expressions  (see  Fig.  1). 

It  is  clear  that  if  <r(x)  =  ^(x)  for  every  x  €  Fvar(E)  then  [E]< 7  =  [E]<r' 


3  The  Valid  Identity  Problem 

We  will  consider  the  following  decision  problem 
Valid  Identity  Problem: 

Input:  A  pair  of  shuffle  regular  expressions  E\  and  E2. 

Question:  Is  the  identity  Ei  =  E2  valid,  i.e.,  are  the  languages  [EiJ<r  and  [E2l<r 
equal  for  every  string  language  environment  a  for  Fvar(E  1)  U  EUar(E2). 

The  main  technical  result  of  our  paper  is 

Theorem  1  The  valid  identity  problem  for  shuffle  regular  expressions  is  decidable. 
Theorem  1  follows  from  the  next  two  theorems. 

Theorem  2  The  valid  identity  problem  for  variable  free  shuffle  regular  expressions 
is  decidable. 
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sn(A')  =  sn(a)  =  0 

snffi  +  £ 2)  =  sn(E\,  Ei)  =  mar(sn(  E\ ),  sn(  £2)) 
sn(£-1||E2)  =  sn(Ei)  +  sn(£2)  +  1 
sn(E')  =  sn(E) 


Figure  2:  Shuffle  nesting  of  Expressions 


Proof:  The  problem  is  easily  reduced  to  the  problem  of  equivalence  of  finite  state 
automata.  q 

Notation:  The  shuffle  nesting  of  an  expression  E  is  denoted  by  sn(E)  and  is 
defined  in  Fig.  2. 

Theorem  3  Let  £[  and  E2  be  shuffle  expressions  over  variables  A'i, _ X„  such 

that  the  shuffle  nesting  of  E\  and  E 2  is  bounded  by  k. 

Let  {a«,2.  Qi.j  :  i  —  1 . n;  j '  —  i. . . . ,  k}  be  distinct  actions  which  do  not  occur 

in  the  expressions  E 1,  £2.  Let  SPUTk  be  the  expression  £*=ia«J ;3,j.  Identity 

Ei  =  £2  is  valid  if  and  only  if  the  variable  free  identity 

Ei{SPLlTl/Xi  . .  .SPLIT? /Xn)  =  E^SPLIT^/Xi . .  .SPLIT? /Xn)  is  valid. 

Proof:  In  order  to  proof  this  theorem  we  appeal  to  the  notions  which  were  developed 
in  the  casual  approach  to  concurrency.  Theorem  3  follows  from  Theorem  7  and 
Theorem  9,  part  2,  below.  □ 


4  Pomsets 


Definition  1  (Pratt  [6])  A  concrete  pomset  P  overset  E  of  labels  consists  of  a  set 
of  events  Eventsp  which  are  partially  ordered  by  a  relation  <p  and  a  function  labp 
from  Eventsp  into  E.  A  function  f  is  an  isomorphism  between  concrete  pomsets 
Pi  and  P2  if  it  is  label  preserving  isomorphism  between  the  partial  orders  of  Px  and 
P2.  An  (abstract)  pomset  is  an  isomorphism  class  of  concrete  pomsets. 


Throughout  the  paper  we  provide  some  definitions  and  constructions  for  concrete 
pomsets.  All  these  definition/constructions  are  extended  in  a  natural  way  to  the 
abstract  pomsets. 

Definition  2  Events  ex  and  e2  of  a  pomset  P  are  concurrent  (notation  ex  cop  e2) 
if  neither  ei  <p  e2  nor  e2  <p  ex. 

Definition  3  The  width  of  a  pomset  P  is  the  maximal  number  of  mutually  con¬ 
current  events  m  the  P . 

Definition  4  A  pomset  language  over  E  is  a  set  of  pomsets  over  E.  We  say 
that  a  pomset  language  PL  has  width  at  most  n  if  all  pomsets  in  PL  have  width 
less  or  equal  than  n. 
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Definition  5  A  concrete  pomset  P  is  an  augmentation  of  a  concrete  pomset 
Q  if  Event sp  =  Eventsq,  labp  =  labq  and  e\  <q  e2  implies  e\  <p  e2  for  all 
e[,en  £  Eventsp. 

Definition  6  A  concrete  pomset  P  is  a  linearly  ordered  pomset  if  <p  is  a 
Itncar  order  over  Eventsp. 

We  will  identify  a  linearly  ordered  pomset  over  a  label  set  E  with  the  correspond¬ 
ing  string  over  alphabet  E.  Also  every  string  language  is  considered  as  a  pomset 
language. 

Definition  7  The  linearization  of  a  pomset  language  PL  (notation  Lin(PL))  is 
the  string  language  L  such  that  w  £  L  iff  w  is  a  linearly  ordered  augmentation  of  a 
pomset  P  £  PL. 

Notations:  A  pomset  containing  only  one  event  labeled  by  /  will  be  denoted  by 
/.  The  pomset  language  containing  only  one  pomset  P  will  be  denoted  by  {P};  in 
particular,  the  language  containing  only  the  one  element  pomset  labeled  by  /  will 
be  denoted  by  {/}. 


5  Refinement 

Let  P  be  a  pomset  and  /  be  a  function  which  assigns  a  pomset  to  every  event  of 
P. 

The  /-expansion  of  P  is  a  pomset  Q  obtained  by  replacing  every  event  of  P  by 
its  image.  Formally, 

Eventsq  =  {(e, e')  :e£  P,  e'  £  /(e)}; 

(ci*«2)  <Q  (^3,^4)  if  either  ei  <p  e$  or  ei  =  e3  and  e2  </(Cl)  «4- 
/a6<j((e,e/))  =  /a6/(c)(e/). 

We  use  the  notation  Ezpan(P ,  /)  for  the  /  expansion  of  pomset  P. 

Definition  8  A  pomset  language  environment  for  a  set  of  labels  E  is  a  function 
which  assigns  a  pomset  language  to  every  label  in  E. 

Notations  We  use  the  notation  [I\  — -  PL\ ,  /2  — ►  PL 2, . . . ,  /n  — *  PLn]  for  the  pom¬ 
set  environment  which  maps  /j  to  PZ,,,  i  =  1, . . n.  We  denote  by  PLE( E)  the  set 
of  pomset  language  environment  for  E.  We  use  a,  /?  to  range  over  pomset  language 
environments.  We  denote  by  SLE( E)  the  set  of  string  language  environments  for 
E.  We  use  <r,  r  to  range  over  string  language  environments. 

Definition  9  Let  P  be  a  pomset.  Let  f  be  a  function  which  assigns  a  pomset  to 
every  event  of  P  and  let  a  be  a  pomset  language  environment  forTL.  The  function 
f  is  consistent  with  a  if  for  every  event  e 


/.  /(c)  6  a(labp(e))  ,flabP(e)  €  E. 

2.  /(e)  —  {labp(e)}  otherwise. 

Definition  10  Let  a  be  a  pomset  language  environment  for  E.  The  a-refinement 
REF(PL,a)  of  a  pomset  language  PL  is  {Expan(P,f)  :  P  €  PL  and  f  is  consistent  with  a} . 

The  refinement  operation  has  properties  similar  to  substitution  operation: 

Lemma  4  Let  PL  be  a  pomset  language  over  an  alphabet  E  and  a  be  a  pomset 
language  environment  for  an  alphabet  E'.  //EDE'C  {/lf  then 

REF((REF(PL.  [h-PLx . lk  -  PLk\),  a)  = 

=  REF(PL.[l i  -  REF(PLua) . lk  -  REF(PLk,a)]). 

The  next  lemma  state  how  linearization  operator  interacts  with  refinement. 

Lemma  5  Lin(REF(PL,  [lt  —  PLX . lk  —  PLk])  =  Lin(REF(PL,  [lx  — 

Lin(PLx),...tlk-+Lin(PLk)] 


6  Operations  definable  by  pomset  languages 

Definition  H  The  application  of  a  pomset  language  PL  to  a  string  language 
environment  r  (notation  PL*t)  is  the  string  language  defined  as  Lin(REF(P  L,t)). 

Definition  12  Let  F  be  a  function  from  string  language  environments  for  E  into 
string  languages.  We  say  that  F  is  definable  by  a  pomset  language  PL  if 
Ft  =  PL  •  r  for  all  r  6  S££(E). 

Observation  6  The  regular  operations  and  shuffle  are  pomset  language  definable, 
namely 

1 •  Let  P  AR(X,Y)  be  the  pomset  consisting  of  two  unordered  events  labeled 
by  X  and  K.  It  is  easy  to  see  that  [X||y]  defines  the  same  operation  as 
{PAR(X,Y)}  over  the  string  environments  for  {X,  Y). 

2 .  Let  SEQ(X,Y)  be  a  pomset  with  two  events  labeled  by  X  and  Y  such  that  the 
event  X  precedes  the  event  Y .  It  is  easy  to  see  that  [X;V]  defines  the  same 
operation  as  {SEQ(X,Y)}  over  the  string  environments  for  {X,  Y}. 

3.  Let  SU M(X,  Y)  be  the  pomset  language  consisting  of  two  one  element  pomsets 
A  and  Y .  It  is  easy  to  see  that  [X  +  Y J  defines  the  same  operation  as 
SU M(X,Y)  over  the  string  environments  for  {X,  Y}. 

4 ■  Let  ITER(X)  be  the  pomset  language  which  consists  of  all  finite  strings  over 
symbol  X.  It  is  easy  to  see  that  [X*]  defines  the  same  operation  as  ITER(X) 
over  the  string  environments  for  {A'’}. 
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[«]pom  =  {«} 

U]pom  =  {*} 

[E{  +  E2]pom  =  REF(SVM(X%  Y),  [X  —  [£7xp^,  V*  -  [E.p*™]) 
[Ei;£2pom  =  R£E(S£Q(A,n,  (A  -  [Eip"",  V  -  [Ejp0"1]) 
[El||E2pam  =  /?EE(P*4/?(A,y)t  [A  -  (Eip01",  V  -  [E2p^]) 
[EJpom  =  /?£E(/T£fl(A),  [A  -  [£]'"*]) 

Figure  3:  Pomset  Semantics 


Theorem  7  For  every  shuffle  regular  expression  E.  the  operation  A  a.  [E]a  is  de¬ 
finable  by  a  pomset  language  with  width  bounded  by  the  shuffle  nesting  of  E. 

Proof:  By  structural  induction  on  the  expressions  the  pomset  language  [£]pofn  is 
assigned  to  every  shuffle  regular  expression  (see  Fig.  3).  Relying  on  Lemma  4, 
Lemma  5  and  Observation  6,  it  can  be  shown  that  [Ej<r  =  [EJpom  •  <r,  where  a  is 
any  language  environment  <r  for  the  Fvar(E).  D 

Definition  13  A  string  language  environment  [/i  — ►  L\,...ln  — *  Ln],  is  called  a 
split-choice  environment  for  {l\  . .  ./n}  if  every  Li  contains  only  strings  of  length 
two. 


Lemma  8  PL  •  r  =  PL '  •  r  for  every  string  language  environment  r  for  E  iff 
PL  •  r  =  PL'  •  r  for  every  split-choice  environment  r  for  E. 

This  lemma  can  be  strengthened  as  follows: 

Theorem  9  Let  PL  and  PV  be  pomset  languages  over  an  alphabet  E  and  let 
{at  j,  Qij  :  i  =  ,  ;  6  Nat}  be  distinct  labels  not  in  E.  Let  L^00^  be  siring 

language  {a,  j ;  a,  j  :  j  £  Nat}  and  let  L be  string  language  {atj;  a*  j  :  j  = 

1,2 . *>.  ' 

1.  PL*r  =  PL*  *r  for  every  string  language  environment  r  for  {m*, ...  ,mn}  iff 

PL  .  [m ,  -  L^, . . . ,  mn  -  L^]  =  PL'  •  [mt  -  4°o) . m,- L^]. 

2.  Let  PL  and  PV  be  pomset  languages  of  width  at  most  k.  Then  PL  •  r  =  PV  •  r 

for  every  string  language  environment  r  for  if  and  only  if 

PL  •  [mt  -*  L[k) . mn  —  L(nk)]  =  PL'  •  [rm  -  L(k), . . . ,  m„  -  L(k)].  ' 

Remarks  (1)  The  above  theorem  can  be  strengthened  as  follows:  Let  fc,  be  the 
bound  on  the  number  of  mutual  concurrent  events  labeled  by  m*  in  the  pomset 
languages  PL  and  PV .  Then  PL*t  =  PVar  for  every  string  language  environment 
r  for  if  and  only  if 

PL*[m1~L[k'\...,mn-L<)k-)]  =  PL'*[ml-.L{k'),...tmn-.L(nk')  ]. 

(2)  Weaker  versions  of  the  above  theorem  have  appeared  in  the  literature. 


Gischer  [l]  considered  the  operations  definable  by  pomsets.  One  of  his  results  can 
be  stated  as  follows:  For  pomsets  P  and  P9  with  less  than  k  events,  {P}«r  = 

{P*}  •  r  for  every  string  language  environment  r  for  _ mn}  if  and  only 

if  {P}  .  (m,  -  L\k) . m„  —  In*1]  =  {P'}  .  [m,  -  l'*’ . m„  -  £«*']. 

In  [5]  the  special  pomsets  which  are  called  semi- words  are  considered.  A  pomset 
is  a  semi- word  if  no  events  with  the  same  label  are  concurrent.  It  was  proved 
in  [5]  that  for  semi-word  languages  SW I  and  5WI'  the  following  theorem 
holds:  SWL  •  r  =  SWL'  •  r  for  for  every  string  language  environment  r  for 
{ m, . mn }  if  and  only  if 

SWL  ♦  [m,  -  L\l) . m„  -  L(nl)]  =  SWL1 .  [m,  -  L[l) . m„  -  L[nl)]- 

(3)  The  proof  of  Theorem  9  can  be  extracted  from  the  proofs  of  these  two  weaker 
versions. 


7  Further  Results 

7.1  Complexity  of  the  valid  identity  problem 

An  exponential  space  algorithm  can  be  provided  for  the  valid  identity  problem. 
Mayer  and  Stockmeyer  [2]  provided  EXPSPACE  lower  bound  for  the  valid  identity 
problem  of  the  variable  free  shuffle  regular  expression.  These  results  give  a  tight 
lower  and  upper  bound  for  the  valid  identity  problem. 


7.2  Extension  by  other  pomset  language  definable  opera¬ 
tions 

Let  OP  be  an  n-ary  operation  on  string  languages.  We  say  that  OP  is  effective  on 
regular  languages  if  there  exists  an  algorithm  which  constructs  a  finite  automaton 
for  the  language  OP{L\,  ...,£„)  from  finite  automata  for  L\ . 

We  say  that  OP  is  definable  by  (finite  width)  pomset  language  if  there  exists  a  (finite 
width)  pomset  language  PI  such  that  PI*(1  —  £,, . . . ,  n  -»  In]  =  OP(Ilt . . .,  L„) 
for  any  languages  L\ , . . . ,  In . 

Note  that  the  operations  definable  by  finite  pomset  languages  are  effective  on  reg¬ 
ular  languages.  Among  such  operations  are  operations  which  are  not  definable  by 
any  shuffle  regular  expressions. 

The  valid  identity  problem  is  decidable  for  the  expressions  constructed  over  any  set 
of  operations  which  are  effective  on  regular  languages  and  are  definable  by  finite 
width  pomset  languages. 

7.3  Extension  by  Intersection 

Micciancio  [4]  proved  the  decidability  of  the  valid  identity  problem  for  constant 
free  shuffle-intersection  regular  expressions.  These  expressions  are  defined  by  the 
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following  grammar:  E  x\Ef)E\E+E\E;E  \  E\\E  \  Em ,  where  x  ranges 
over  variable  symbols. 

Note  that  the  intersection  is  not  a  pomset  language  definable  operation.  Miccian- 
cio  s  very  interesting  proof  is  given  in  terms  of  interleaving  semantics  and  does  not 
use  explicitly  pomsets.  It  is  an  open  problem  whether  his  results  and  techniques 
can  be  extended  to  other  pomset  language  definable  operations  and  in  particular 
to  the  expressions  which  contain  constants. 
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Stubborn  Set  Methods  for  Process  Algebras 

Antti  Valmari 


Abstract.  The  construction  of  reduced  state  spaces  of  concurrent  process- 
algebraic  systems  using  the  stubborn  set  or  related  methods  is  discussed.  The 
goal  is  to  avoid  altogether  the  construction  of  the  big  ordinary  state  space  of  the 
system,  and  construct  a  smaller,  but  equivalent,  state  space  instead.  Five  equiv¬ 
alence  notions  are  covered:  “deadlock  equivalence”  (the  reduced  and  full  state 
spaces  have  exactly  the  same  deadlock  states),  trace  equivalence,  CSP-equiva- 
lence,  CFFD-equivalence  and  branching  bisimilarity.  Most  of  the  methods  are 
similar  to  stubborn  set  or  related  methods  in  other  application  areas.  However, 
because  of  the  absence  of  the  notion  of  “structural  deterministic  transition” 
(such  as  the  Petri  net  transition)  in  process  algebras,  earlier  definitions  and 
proofs  were  not  applicable,  and  the  theory  behind  the  methods  had  to  be  re¬ 
developed  from  the  beginning. 


1.  Introduction 

The  fact  that  the  total  effect  of  a  set  of  concurrent  transitions  (or  operations  or 
actions)  is  independent  of  execution  order  has  been  utilised  in  computer-aided  verification 
methods  in  many  ways.  One  main  approach  is  to  generate  only  a  subset  of  the  interleaved 
executions  of  the  system  under  verification  (see  e.g.  [God96,  Pel93,  Val94]).  The  subset  is 
represented  as  an  ordinary  interleaved  state  space,  called  reduced  state  space.  It  is  chosen 
in  such  a  way  that  from  the  point  of  view  of  the  verification  task  at  hand,  it  can  represent 
all  executions.  That  is,  the  answer  to  the  verification  question  is  guaranteed  to  be  the  same 
for  both  the  full  and  the  reduced  state  space. 

The  reduced  state  space  is  obtained  by  using  only  a  subset  of  enabled  transitions 
when  constructing  the  immediate  successor  states  of  a  state.  It  has  turned  out  that  the 
selection  of  a  “sufficient”  subset  depends  on  the  verification  question.  Furthermore,  it  may 
be  necessary  to  ensure  that  certain  conditions  that  depend  on  more  than  one  state  hold  in 
the  reduced  state  space.  Even  for  a  fixed  verification  question,  the  construction  of  the  suf¬ 
ficient  subset  depends  on  the  formalism  in  which  the  system  has  been  represented  —  the 
techniques  that  are  good  for  Petri  nets  do  not  necessarily  work  for  parallel  labelled  transi¬ 
tion  systems.  Moreover,  the  subset  is  not  completely  defined  by  the  requirement  that  it  has 
to  be  “sufficient”.  Some  algorithms  are  capable  of  finding  smaller  sufficient  subsets  than 
others,  at  the  price  of  consuming  more  time. 

As  a  consequence,  different  authors  have  investigated  the  reduced  state  space  con¬ 
struction  problem  with  different  goals  and  formal  frameworks,  and  have  developed  a  vari- 


ety  of  different  algorithms  and  methods  with  names  such  as  persistent  sets ,  ample  sets  and 
stubborn  sets .  Despite  of  the  differences,  these  approaches  have  quite  a  lot  in  common. 
Many  ideas  that  have  been  originally  developed  in  the  context  of,  say,  ample  sets,  can  be 
used  with,  say,  stubborn  sets.  To  be  consistent  with  terminology  within  this  article,  the 
stubborn  set  vocabulary  is  used.  It  is  emphasized,  however,  that  from  the  point  of  view  of 
the  subject  matter  this  is  a  somewhat  arbitrary  choice;  this  article  could  have  been  written 
in  the  ample  set  or  persistent  set  language. 

The  generic  term  “partial-order  methods”  is  often  used  of  the  stubborn  set  method 
and  its  relatives.  But  it  covers  also  methods  that  are  not  based  on  choosing  representative 
interleavings  and  presenting  them  in  the  form  of  an  ordinary  (but  reduced)  state  space, 
such  as  the  unfolding  method  [McM93,  Esp94].  So  it  is  too  general  for  the  present  article. 
Furthermore,  in  the  opinion  of  the  present  author,  the  term  “partial-order  methods”  is  mis¬ 
leading.  The  term  refers  to  semantic  models  of  concurrency  where  the  ordering  of  the 
occurrences  of  mutually  independent  transitions  is  partial.  The  stubborn  set  and  related 
methods  take  advantage  of  commutativity  properties  that  resemble  the  “independency” 
relation  of  partial-order  models,  but  is  slightly  different,  and  has  sometimes  different  con¬ 
sequences.  (This  difference  will  not  be  obvious  in  the  context  of  the  present  article,  but  it 
has  proven  important  in  the  case  of  Petri  nets,  for  instance.) 

This  article  is  devoted  to  the  application  of  the  stubborn  set  approach  (or  its  relatives) 
to  process-algebraic  verification.  Compared  to  other  applications  of  stubborn  set  methods, 
the  biggest  difference  is  in  the  notion  of  “transition”.  Stubborn  set  methods  usually  rely  on 
“deterministic”  “structural”  transitions,  such  as  the  transitions  of  a  Petri  net.  Transitions 
are  responsible  of  state  changes.  That  they  are  “deterministic”  means  that  the  occurrence 
of  a  transition  in  a  state  produces  always  the  same  immediate  successor  state.  The  word 
“structural”  indicates  that  it  is  meaningful  to  talk  about  the  same  transition  in  different 
states.  In  process  algebras,  the  word  “transition”  denotes  what  would  be  the  occurrence  of 
a  transition  in  Petri  net  terminology.  No  individual  “performer”  of  the  occurrence  can  be 
distinguished;  the  responsibility  of  (the  execution  of)  the  transition  is  distributed  over  sev¬ 
eral  processes  of  the  system.  Deterministic  structural  transitions  do  not  exist.  The  set  of 
processes  that  participate  (the  execution  of)  a  transition  is  determined  by  the  concept  of 
action.  In  some  sense,  an  action  is  the  name  of  several  transitions.  Actions  are  structural, 
but  they  are  not  deterministic. 

The  absence  of  deterministic  structural  transitions  affects  the  development  of  the  the¬ 
ory.  It  is  not  any  more  possible  to  utilise  the  assumption  that  if  two  transitions  occur  in 
both  orders,  the  end  result  is  the  same.  This  is  because  the  end  result  is  no  more  unique,  so 
the  two  orderings  may  choose  different  members  from  the  set  of  possible  end  results.  The 
use  of  actions  has  also  some  effects  on  the  construction  of  stubborn  sets.  In  other  respects, 
the  stubborn  set  methods  and  algorithms  for  process-algebraic  verification  are  pretty  much 
the  same  as  in  other  stubborn  set  or  related  methods. 

The  goal  of  the  methods  described  in  this  article  is  to  produce  a  reduced  state  space 
that  is  equivalent  to  the  full  one  in  the  sense  of  some  process-algebraic  equivalence.  Liter¬ 
ally  hundreds  of  different  equivalences  have  been  defined  in  the  process  algebra  literature. 
The  majority  of  them  is,  however,  based  on  few  main  ideas.  In  this  article  we  discuss  some 
well-known  and  one  less  well  known  equivalence  that  together  cover  most  of  the  impor¬ 
tant  ideas. 

The  earliest  explicit  application  of  the  stubborn  set  or  related  methods  to  process 
algebras  was  [VaC91].  In  it,  transitions  were  deterministic,  but  not  structural.  As  a  conse¬ 
quence,  the  mathematics  became  complicated,  and  it  was  almost  impossible  to  describe 


how  stubborn  sets  may  be  constructed.  These  problems  were  solved  in  [Val92b]  by  using 
actions  as  transitions  and  re-working  the  theory  to  allow  non-deterministic  transitions.  The 
goal  of  [Val92b]  was  to  produce  reduced  state  spaces  that  are  CSP-  [BrR85,  Hoa85]  or 
CFFD-equivalent  [VaT91,  VaT95]  with  the  full  ones.  The  method  was  closely  related  to 
the  linear  temporal  logic  -preserving  stubborn  set  method  presented  in  [Val92a].  A  method 
that  preserves  branching  bisimilarity  [vGW89,  vG190]  was  first  presented  in  [GK+95]. 
Because  branching  bisimilarity  implies  weak  bisimilarity  (known  also  as  observation 
equivalence)  [Mil89],  the  [GK+95]  method  preserves  also  the  latter. 

This  article  is  organised  as  follows.  The  necessary  process-algebraic  concepts  includ¬ 
ing  the  above-mentioned  equivalences  are  introduced  in  Section  2.  To  simplify  the  devel¬ 
opment  of  the  stubborn  set  theory,  the  definitions  are  presented  in  a  somewhat  non¬ 
standard  form,  although  the  concepts  they  define  are  standard.  Section  3  presents  the  basic 
facts  about  the  stubborn  sets  of  process-algebraic  concurrent  systems.  A  method  preserv¬ 
ing  trace  equivalence  is  described  in  Section  4.  This  method  is  a  reasonably  straightfor¬ 
ward  application  of  the  results  in  [Val91]  and  [Val92b].  The  CSP-  and  CFFD-preserving 
methods  from  [Val92b]  are  repeated  in  Section  5.  Section  6  is  devoted  to  a  translation  of 
the  [GK+95]  branching  bisimilarity  method  to  the  present  framework  with  non-determin¬ 
istic  actions.  The  conclusions  are  in  Section  7. 

Throughout  this  article,  small  improvements  are  made  to  the  methods  presented.  For 
instance,  the  assumption  that  the  reduced  state  space  is  finite,  is  mostly  eliminated.  This 
may  become  important  in  the  future,  if  the  stubborn  set  method  is  combined  with  methods 
that  represent  infinite  state  spaces  by  finite  data  structures. 

2.  Processes,  Parallel  Composition,  and  Equivalences 

In  process  algebras,  the  behaviour  of  a  system  consists  of  executions  of  actions . 
There  are  two  kinds  of  actions:  visible  and  invisible .  Each  system  has  a  fixed  set  of  visible 
actions  it  may  execute,  and  the  environment  of  the  system  can  observe  or  even  synchro¬ 
nise  with  the  execution  of  a  visible  action.  Executions  of  invisible  actions  cannot  be 
directly  observed.  It  is  customary  to  use  the  one  symbol  “x”  to  denote  all  of  them.  An 
invisible  action  may  represent  a  hidden  internal  action  that  is  participated  by  several  com¬ 
ponent  processes  of  the  system.  Knowledge  of  the  set  of  the  component  processes  that 
participate  the  internal  action  is  important  for  the  stubborn  set  method.  Therefore,  in  this 
article,  invisible  actions  are  not  denoted  by  x,  but  it  is  assumed  that  each  process  has  its 
own  sets  of  visible  and  invisible  actions.  As  was  described  in  [Val92b],  a  system  with 
T-transitions  can  be  easily  converted  to  the  form  required  in  this  article  by  re-naming  the 
T-transitions  in  a  suitable  way. 

In  process-algebraic  computer-aided  verification,  the  behaviour  of  a  system  is  usually 
represented  by  a  labelled  transition  system  ( LTS ).  An  LTS  is  a  directed  graph  whose  verti¬ 
ces  correspond  to  states,  one  of  the  vertices  is  distinguished  as  the  initial  state,  and  edges 
correspond  to  transitions  and  are  labelled  by  actions. 

Definition  2.1  A  labelled  transition  system  ( LTS)  is  a  five-tuple  (5,  Zy  2/»  A,  is), 
where  S  is  the  set  of  states,  Ey  is  the  set  of  visible  actions ,  E/  is  the  set  of  invisible  actions , 
ZK  n  Z7  =  0,  A  c  S  x  (Z v  u  E/)  x  S  is  the  set  of  transitions ,  and  is  e  S  is  the  initial  state. 
The  action  alphabet  is  Z  =  Ey  u  Z /.  □ 

The  following  notation  is  useful  for  talking  about  action  sequences  and  enabled 
actions. 


Definition  2.2  Let  L  =  (S,  Z^  Z7,  A,  w)  be  an  LTS,  s ,  s'  and  sq,  .. sn  e  S,  and  a  and 

a\ 

•  ^  /  if  and  only  if  (5,  a,  s')  e  A. 

•  s0  “^i“^  -^2“^  •••  -^rT*  sn  if an<^  onty  ^ 5o  ^i- >  ^1  and  ...  and  s„_f  -an— >  sn. 

•  s  — ^^2* •  'an~^  s*  if  and  only  if  there  are  s0,  ...,  sn  e  5  such  that  s0  =  s,sn  =  s',  and 
^0  — «l“ >  ^*1  “«2”>  •••  -an-*sn- 

•  s  -»*  s'  if  and  only  if  there  are  ab  ...,  an  e  Z  such  that  5  s'.  In  particu¬ 

lar,  s  — >*  s. 

•  5  — if  and  only  if  there  is  s'  such  that  s  -axa2. .  s'. 

•  s  J-axa2..  .an-b  s'  if  and  only  if  -1(5  -a\a2. .  .an— i >  s'), 
and  similarly  with  s  Uixa2. .  .an-h  and  s  -h*  s'. 

•  next(s)  =  {  ae  X*\s-a—>}.  □ 

The  parallel  composition  of  LTSs  is  defined  below.  A  parallel  composition  may  exe¬ 
cute  action  a  if  and  only  if  all  component  processes  that  have  a  in  their  alphabets  are  ready 
to  execute  a.  The  execution  of  a  forces  all  those  component  processes  to  execute  an  a- 
transition,  and  does  not  affect  the  remaining  component  processes.  Synchronisation  is  thus 
determined  by  the  alphabets  of  the  component  processes. 

Definition  2.3  Let  L}  =  (Sh  Zw,  Z71 ,  Alf  isx), . . Ln  =  (S„,  ZVn,  Z/n>  An,  isn)  be  LTSs 
such  that  (Zyj  u  ...  u  Zyn)  n  (Z/i  u  ...  u  Z7n)  =  0.  Their  parallel  composition  is  the 
LTS  L\  II  . . .  II  Ln  =  (5,  Z^  Z7,  A,  is)  defined  as  follows: 

•  5  =  5!  x  ...  x  Sn ,  Z^=  Z^i  u  ...  u  Zym  Z/=  Z7j  u  ...  u  Z7m  and  is  -  (isj, ...,  isn). 

•  Let  (51#  ...,srt)e  5  and  a  g  ZvuI7.  We  have  ((sj, ...,  sn),  a,  (^,  ...,4))e  A  if  and 
only  if  for  every  1  <i<n,  either  a  e  Zw  u  Z7i  and  (  s*,  a,  s-)  e  Ah  or  a  e  Zw  u  Z7/  and 

s'i  =  s,.  □ 

We  use  the  following  notation  for  sequences. 

Definition  2.4 

•  The  empty  sequence  is  denoted  by  e. 

•  X*  and  X®  are  the  sets  of  finite  and  infinite  sequences  of  symbols  from  X. 

•  If  a  and  o'  e  X*  u  X*0,  then  o'  <  cr  denotes  that  o'  is  a  proper  prefix  of  a,  and  o'  <  a 
holds  if  and  only  if  o'  <  a  or  o'  =  a.  □ 

The  main  goal  of  process-algebraic  equivalences  is  to  abstract  away  from  invisible 
actions.  The  following  notation  and  concepts  are  useful  for  that  purpose. 

Definition  2.5  Let  L  =  (S,  Z^  Z7,  A,  is)  be  an  LTS,  s  and  s'  e  5,  p  e  Z*,  and  a  €  Zy. 

•  v/s(p)  is  the  result  of  the  removal  of  all  actions  in  Z7  from  p. 

•  s  =a=>  s'  if  and  only  if  there  is  p  e  Z*  such  that  s  -p— >  s'  and  a  =  v/s(p). 

•  s  =a=>  if  and  only  if  there  is  an  s'  such  that  s  =o=>  s'. 

•  s  *o4>  s'  if  and  only  if  — 1  (s  =a=>  s'),  and  similarly  with  s  □ 

Three  of  the  equivalences  that  we  will  discuss  can  be  defined  in  terms  of  the  follow¬ 
ing  sets.  Stability  of  a  state  means  that  if  a  process  is  in  a  stable  state,  then  its  next  action 
cannot  be  invisible.  A  process  is  stable  if  its  initial  state  is.  The  ordinary  and  infinite  traces 
of  a  process  are  the  finite  and  infinite  sequences  of  visible  actions  generated  by  the  (not 
necessarily  complete)  executions  of  the  process.  A  divergence  trace  is  a  trace  after  which 
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the  process  can  execute  an  infinite  sequence  of  invisible  actions.  A  divergence  trace  is 
minimal ,  if  none  of  its  proper  prefixes  is  a  divergence  trace.  A  stable  failure  consists  of  a 
trace  and  a  set  of  visible  actions  such  that  after  executing  the  trace,  the  process  may  be  in 
a  stable  state  where  it  cannot  execute  any  action  from  the  set.  In  the  CSP  theory  [BrR85, 
Hoa85]  divergence  is  considered  catastrophic.  The  catastrophic  nature  of  divergence  can 
be  represented  in  the  present  framework  by  declaring  that  a  process  may  do  just  anything 
after  executing  a  divergence  trace.  Therefore,  any  sequence  of  visible  actions  that  has  a 
“real”  divergence  trace  as  its  prefix  is  considered  a  CSP-divergence  trace,  and  it  may  be 
paired  with  just  any  set  of  visible  actions  to  form  a  CSP-failure. 

Definition  2.6  Let  L  -  (5,  Z^  Z/,  A,  is)  be  an  LTS. 

•  s  e  Sis  stable ,  if  and  only  if  s  4-a-h  for  every  a  e  Z7.  Furthermore,  L  is  stable  if  and 
only  if  its  initial  state  is  is  stable.  The  predicate  stable(L)  is  “true”  if  and  only  if  L  is 
stable. 

•  The  set  of  traces  of  L  is  tr(L)  =  {ae  ly  I  is  =a=>  } . 

•  The  set  of  stable  failures  of  L  is 

sfail(L)  -  {  (a,  A)  e  ZyX  2Zv  1 3  s  e  S :  is  =a=>  s  a  next(s )  c  Zy- A  }. 

•  The  set  of  infinite  traces  of  L  is 

inftr{L)  -  {  £  e  Zy  I  3  (0  €  Z®:  £  =  vi.s(cq)  a  is  -to— >  }. 

•  The  set  of  divergence  traces  of  L  is 

divtr(L)  -  {  a  e  Zy  1  3  to  e  Zw:  a  =  vis(c o)  a  is  -to->  }. 

•  The  set  of  minimal  divergence  traces  of  L  is 

mindiv(L)  =  {  a  e  divtr(L)  I  V  o'  <  a:  o'  £  divttiL)  }. 

•  The  set  of  CSP-divergence  traces  of  L  is 

CSPdiv(L )  =  {  a  e  ly\  3  o'  e  divtr{L):  &  <  a  }. 

•  The  set  of  CSP-failures  of  L  is 

CSPfaiKL )  =  sfail(L)  u  (  CSPdiv(L)  x  lYv ).  □ 

The  trace  equivalence ,  CSP -equivalence  [BrR85,  Hoa85]  and  CFFD-equivalence 
[VaT91,  VaT95]  can  be  defined  as  follows.  The  trace  equivalence  simply  compares  the 
sets  of  traces  of  two  systems.  CSP-equivalence  compares  the  CSP  variants  of  the  failures 
and  divergence  traces.  CFFD-equivalence  uses  stable  failures  and  “real”  divergence 
traces.  In  order  to  maintain  the  compositionality  property  that  is  often  required  from  proc¬ 
ess-algebraic  equivalences,  CFFD-equivalence  compares  also  the  infinite  traces  and  initial 
stability.  CFFD-equivalence  is  strictly  stronger  than  CSP-equivalence  in  the  sense  that 
CFFD-equivalence  makes  more  distinctions  between  systems.  Unlike  CSP-equivalence, 
CFFD-equivalence  preserves  meaningful  information  of  the  behaviour  of  a  process  even 
after  it  has  executed  a  divergence  trace.  The  motivation  behind  the  definition  of  CFFD- 
equivalence  is  explained  in  detail  and  CFFD-equivalence  is  compared  to  CSP-equivalence 
in  [VaT95]. 

Definition  2.7  Let  L\  and  L2  be  two  LTSs  such  that  their  sets  of  visible  actions  are 
the  same,  i.e.  Zyj  —  Zy2* 

•  L\=trL2  if  and  only  if  triLy)  =  triL^ )• 

•  Lx  -CSP  ^2  if  and  only  if  CSPfail(Lx)  =  CSPfail(L and  CSPdiv(L\)  =  CSPdivfLf). 

•  Lx  =cffd  f-2  if  an(i  only  if  stableiLy)  -  stable^ ),  sfail(Lx)  =  sfaiULf), 
divtriLy)  =  divtHLf),  and  inftr{Lx)  =  inftr(JL ^).  □ 


The  last  two  equivalences  discussed  in  this  article  are  weak  bisimilarity  [Mil89]  and 
branching  bisimilarity  [vGW89,  vG190].  They  are  both  based  on  a  notion  of  simulation 
between  LTSs.  Two  systems  are  equivalent,  if  they  can  simulate  each  other  starting  at  their 
initial  states.  In  weak  bisimilarity,  an  invisible  transition  may  be  simulated  by  a  sequence 
of  invisible  transitions  of  any  length,  and  a  transition  labelled  by  a  visible  action  a  may  be 
simulated  by  a  sequence  consisting  of  an  ^-transition  surrounded  by  any  number  of  invisi¬ 
ble  transitions.  In  branching  bisimilarity,  invisible  transitions  may  be  simulated  by  doing 
nothing.  Furthermore,  any  ^-transition  may  be  simulated  by  first  executing  zero  or  more 
invisible  transitions  in  such  a  way  that  this  sequence  may  be  simulated  by  doing  nothing; 
and  then  executing  an  ^-transition  if  a  is  visible,  or  an  invisible  transition  if  a  is  invisible. 
The  simulation  relations  are  traditionally  defined  on  the  states  of  a  single  LTS. 

Definition  2.8  Let  L  =  (5,  'Ey  £/,  A,  is)  be  an  LTS.  A  binary  relation  qSxS over 
the  states  of  L  is  a  weak  bisimulation ,  if  and  only  if  for  every  a  <=  £  and  every  shs2  and 
s  e  S  such  that  sx  -  s2  the  following  hold: 

•  If  Si  sy  then  there  is  s'  e  S  such  that  s  -  s'  and  s2  -vis(a)=s>  s'. 

•  If  s2  -a-*  sy  then  there  is  s'  e  S  such  that  s'  -  s  and  sx  =vis(a)=>  s'. 

The  relation  is  a  branching  bisimulationy  if  and  only  if  for  every  a  e  £  and  every  s2 
and  s  e  S  such  that  sx  ~  s2  the  following  hold: 

•  If  s i  Sy  then  either  a  e  Ef  and  s  -  s2i  or  there  are  and  s'  e  S  and  b  e  £  such 

that  s\~  sq,s  ~  s\  s2  =£=>  Sq  - b — >  s' ,  and  vis(a)  -  vis(b). 

•  If  s2  -a— >  Sy  then  either  a  e  X/  and  sx  -  s ,  or  there  are  Sq  and  s'  e  S  and  b  e  E  such 
that  sq  -  s2y  s'  ~  s,  s  i  =£=>  Sq  s\  and  vis(a)  =  vis(b). 

Furthermore, 

•  The  states  jj,  s2  e  S  of  L  are  weakly  /  branching  bisimilary  if  and  only  if  there  is  a 

weak  /  branching  bisimulation  such  that  s j  -  s2. 

•  Let  Lj  =  (Sj,  Ey*  £/>  ^l)  an(^  ^2  =  ($2>  2}/,  A2,  is2)  be  two  LTSs  such  that  their 

alphabets  are  the  same  and,  furthermore,  Sx  n  S2  =  0.  They  are  weakly  /  branching 
bisimilar ,  if  and  only  if  their  initial  states  is{  and  is2  are  weakly  /  branching  bisimilar 
in  their  joint  LTS  (Sj  u  S2, 2^  2/,  Ax  u  A2,  isx ).  □ 

Because  any  branching  bisimulation  is  also  a  weak  bisimulation,  branching  bisimilar¬ 
ity  is  strictly  stronger  than  weak  bisimilarity. 

3.  Stubborn  Sets  and  Reduced  State  Spaces 

The  number  of  states  of  a  parallel  composition  tends  to  grow  exponentially  in  the 
numbers  of  states  of  its  component  processes.  The  goal  of  the  stubborn  set  method  is  to 
construct  a  reduced  LTS  for  the  parallel  composition  in  such  a  way  that  it  is  equivalent 
with  the  full  LTS,  but  contains  significantly  less  states  and  transitions.  This  is  achieved  by 
investigating  at  any  state  of  the  parallel  composition  only  a  subset  of  enabled  actions  and 
thus  constructing  only  a  subset  of  the  immediate  successors  of  the  state.  For  the  develop¬ 
ment  of  the  theory,  it  is  handy  to  talk  about  a  larger  set  that  may  also  contain  disabled 
actions.  This  larger  set  is  called  stubborn. 

The  construction  of  stubborn  sets  for  a  parallel  composition  will  be  discussed  soon, 
but  before  that  the  fundamental  properties  that  stubborn  sets  guarantee  are  listed.  The 
main  theorems  of  this  article  will  be  proven  from  these  properties,  without  relying  on  any 
particular  construction  of  stubborn  sets.  This  makes  the  theory  more  modular,  and  — 
hopefully  —  the  fundamental  ideas  clearer. 


Figure  1  Illustrations  of  conditions  Al,  A2  and  A3 

Because  we  will  not  always  need  both  A2  and  A3  in  our  proofs,  we  require  only  one 
of  them  in  the  below  definition. 

Definition  3.1  Let  L  -  (S,  Z^  Z/,  A,  is)  be  an  LTS.  A  stubborn  set  generator  is  a 
function  A:  S  — »  2Z  such  that  for  every  s'0 ,  4>  and  . . .  e  S,ae  A(s0),  and  ah  a2, . . .  e 
Z  -  A^q),  it  is  true  that  AO,  Al,  and  at  least  one  of  A2  and  A3  from  the  below  list  hold. 
(AO)  If  nextis0)  &  0  then  A(sq)  n  next(so)  *  0. 

(Al)  If  sq  . . .  -i an sn  and  sn  -a->  4>  then  there  are  4> . . 4-1  €  S  such  that 

•*0  -a\—< ►  •  •  •  -tfu-*  4  anc*  50  -0“"*  4 

(A2)  If  5*0  — — > and  .Sq  -0— >  4>  then  there  are  4 , . . s'  e  S  such  that 

SQ-a\->  ...  -an-> 4  and  -<z-> 4* 

(A3)  If  Sq  -a  »  *^1  4»  then  there  are  s\,  4»  •  *•  e  *5  such  that 

4  — — >  4  ~^2 — ^  •••  •  Q 

The  set  A(4  is  called  a  stubborn  set.  The  condition  AO  requires  that  a  stubborn  set 
should  contain  an  enabled  action  if  there  are  any.  Al  guarantees  that  a  disabled  action 
belonging  to  a  stubborn  set  remains  disabled  at  least  until  an  actioh  belonging  to  the  set 
occurs.  Furthermore,  it  allows  in  any  execution  to  “move  to  the  front”  the  first  occurrence 
of  an  action  in  the  stubborn  set.  A2  claims  that  any  enabled  action  within  the  stubborn  set 
commutes  with  all  finite  sequences  of  outside  actions,  and  A3  extends  A2  to  infinite 
sequences.1  The  conditions  Al,  A2  and  A3  are  illustrated  in  Figure  1.  In  the  illustration, 
vertical  and  horizontal  transitions  correspond  to  actions  inside  and  outside  the  stubborn 
set,  respectively. 

The  following  theorem  gives  a  sufficient  condition  for  a  stubborn  set  of  a  parallel 
composition  L  =  L\  II  ...  II  Ln.  The  proof  of  the  theorem  is  dull  and  omitted,  but  it  can  be 

^though  it  might  seem  that  A3  follows  from  A2,  this  is  not  the  case.  The  possibility  has  not 
been  ruled  out  that  s\, ...» 4  obtain  different  values  for  each  n,  so  that  4  -ax . . .  an->  for  every  n,  but 
4 


found  in  [Val92b].  In  order  to  avoid  confusion,  we  use  the  notation  “-a— »y”  and 
when  talking  about  the  transitions  and  enabled  actions  of  Lp  while  the  absence 
of  the  subscript  refers  to  L. 

Theorem  3.2  Let  L  =  L\  II  ...  I!  Ln  be  the  parallel  composition  of  the  LTSs  Lx  -  (S1# 
I<v\,  £/i,  Aj,  wj), Ln  =  (S„,  Zy,,,  Z//r  Aw,  isn)y  and  A:  5  — >  2Z.  If  A(s)  satisfies  the  follow¬ 
ing  three  conditions  in  the  state  s  =  (sh  ...,  sn )  of  L,  then  AO,  Al,  A2  and  A3  hold  in  5. 

•  If  a  <=  A(s)  and  s  A-a-b,  then  there  is  1  <j  <  n  such  that  a  e  Z.-,  s A-a-bh  and  next  As,)  c 

AW. 

•  If  a  <=  A(^)  and  s  then  for  every  1  <j  <  n,  either  a  <£  Zy,  or  nextj(sj)  c  A(s). 

•  If  there  is  a  e  Z  such  that  s  -a->,  then  there  is  a  e  A(s)  such  that  s  □ 

Unlike  Al,  A2  and  A3,  the  conditions  in  Theorem  3.2  concern  only  one  state.  There¬ 
fore,  it  is  possible  to  design  algorithms  that  investigate  only  that  state  and  construct  a  stub¬ 
born  set  satisfying  the  conditions.  Many  such  algorithms  have  been  presented  in  the 
literature,  for  instance  in  [Val88,  Val92a,  God96],  Although  the  algorithms  have  been 
expressed  mostly  in  other  frameworks  than  the  present  one,  they  can  be  applied  to  the  con¬ 
text  of  Theorem  3.2  without  much  difficulties.  Therefore,  it  is  not  reasonable  to  repeat 
them  here.  [Val92b]  describes  some  of  them  in  the  present  framework. 

The  sets  of  states  and  transitions  of  the  reduced  LTS  are  subsets  of  the  sets  of  states 
and  transitions  of  the  LTS  representing  the  full  parallel  composition.  To  facilitate  conven¬ 
ient  discussion  of  the  same  states  and  transitions  as  members  of  the  full  and  reduced  LTS, 
a  double-dot  notation  is  introduced. 

Definition  3.3  Let  L  -  (5,  Zy  2/,  A,  is)  be  an  LTS  and  A:  S  — >  2s  a  stubborn  set  gen¬ 
erator.  The  reduced  LTS  of  L  induced  by  A  is  L  =  (5,  Zy  Z7,  A,  is),  where  S  is  the  smallest 
subset  of  S  and  A  is  the  smallest  subset  of  A  such  that 

•  is  e  5, 

•  if  s  e  5,  s  -a^>  s\  and  a  e  A(s ),  then  s'  e  S  and  ( s ,  a ,  s')  e  A. 

Furthermore,  if  s  and  s'  e  5,  a  e  Z,  and  p  e  Z*,  then 

•  s  s'  if  and  only  if  s  s'  and  a  e  A(^). 

•  s  s'  etc.  are  defined  from  s  s'  analogously  to  Definition  2.2. 

•  hext{s)  -  {  a  e  Z  I  s  }  =  next(s)  n  A(s).  □ 

As  developed  so  far,  the  stubborn  set  method  guarantees  that  the  reduced  and  full 
LTS  have  the  same  deadlocks.  (It  is  assumed  that  the  full  LTS  does  not  contain  unreacha¬ 
ble  states.)  Furthermore,  the  reduced  LTS  has  an  infinite  execution  if  and  only  if  the  full 
LTS  has. 

Theorem  3.4  Let  L  =  (S,  Zy  Z /,  A,  is)  be  an  LTS  such  that  is  — >*  s  for  every  s  e  S. 
Let  L  =  (S,  Zy  Z/,  A,  is)  be  a  reduced  LTS  obtained  from  L  with  the  stubborn  set  generator 
A. 

(a)  Assume  that  AO,  Al  and  A2  hold.  Then  s  e  S  and  next(s)  =  0  if  and  only  if  s  €  S  and 
hext(s)  =  0. 

(b)  Assume  that  AO,  Al  and  A3  hold.  There  are  a y  ^2»  ...  such  that  is  if  and 

only  if  there  are  o\,  a'2i  ...  such  that  is  '^a\ 

Proof  (a)  If  s  6  S  and  hext(s)  =  0,  then  s  e  S  by  S  c  5,  and  next(s)  =  0  by  AO.  If  s  e 
S  and  next(s)  =  0,  then  hext{s)  =  next(s)  n  A(s)  =  0.  It  remains  to  be  shown  that  if  s  e  S 
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Figure  2  Two  parallel  compositions  with  possible  reduced  LTSs 

and  next(s)  =  0,  then  s  e  S.  We  will  show  that  if  next(s)  =  0,  £  e  5,  and  $  s 

where  n  >  0,  then  there  are  S',  a ,  and  a j,  . . a'_!  such  that  s  s'  and  s'  -a\ . .  .a'n_ x~~>  s. 
The  claim  se  5  follows  from  this  and  the  fact  that  is  e  S  by  “reversed”  induction  on  n . 

If  s  -ax...an-^  s ,  then  there  are  s0,  ...,  sn  such  that  sQ  =  s\  sn  =  5,  and  s0  -ax^>  sx 
-a2^  •  •  •  *  *V  When  n>  0,  we  have  50  -a\— and  AO  guarantees  that  there  is  some  a 

such  that  s0  ki-k.  If  none  of  a{i  ...,an  belongs  to  A(s0),  then  sn  -a-»  by  A2,  which  is  a 
contradiction  with  next(s)  =  0.  There  is  thus  1  <j<n  such  that aj  e  A(^0).  By  choosing  the 
smallest  such;  we  obtain  at  <£  A(^0)  for  1  <  i  <  j.  Now  A1  implies  the  existence  of  s'0,  ..., 
s'j_x  such  that  s^kij-^  s'0,  s'0-ax...aj_x->  s'j_x ,  and  s'j_x  -  sj.  We  may  choose  s'  =  s'0,a  =  ap 

flj,  *♦*>  &j—\  &j— 1»  and  Qj  —  ^;+i»  •  ••»  &n—  1  =  ^rv 

(b)  The  “if ’-part  is  obvious  from  A  c  A.  To  show  the  “only  if’  part  we  will  show  that 
if  s  e  S  and  s  -axa2...-±,  then  there  are  S',  a ,  and  a\,  o2 ,  ...  such  that  s  s'  and 
S'  -a\a2. . The  claim  follows  then  by  induction. 

Let  %  ■  be  chosen  such  that  sq  =  s  and  i~ 3 ►  2 •  •  •  -  If  there  is  a ;  such 

that  aj  e  A(s0)  and  a{  g  A(s0)  when  1  <  i  < ;,  then  A1  implies  the  existence  of  s'0,  ...,  sj_x 
such  that  s0kij^>  s'0  and  s'0-ax..Mj_x-+  s'j_x  -aj+\aJ+2...->,  where  jjLj  =  Sp  Otherwise  AO 
and  A3  ensure  the  existence  of  an  a  and  S'  such  that  ki-k  S'  -axa2. . □ 

Without  additional  assumptions  about  the  selection  of  stubborn  sets,  the  stubborn  set 
method  does  not  guarantee  much  more  than  Theorem  3.4.  This  is  because  of  two  reasons. 

Firstly,  when  a  transition  is  “moved  to  the  front”  by  Al,  the  ordering  of  actions 
changes.  As  a  consequence,  all  possible  orderings  of  visible  actions  are  not  necessarily 
included  into  the  reduced  LTS.  This  may  lead  to  the  omission  of  traces,  stable  failures,  and 
so  on.  For  instance,  if  both  a  and  b  are  visible  in  Figure  2,  then  tr(Lx  il  Lq)  =  {e,  a,  b ,  ab , 
ba}.  (In  all  LTS  figures  in  this  article,  the  alphabet  of  an  LTS  is  exactly  the  set  of  labels  of 
its  transitions.  Furthermore,  a,  b  and  c  are  visible,  and  u  and  v  are  invisible.)  It  is  possible 
that  the  stubborn  set  used  in  the  initial  state  is  {a}.  Then  the  dashed  transitions  are  left  out 
of  the  reduced  LTS,  and  its  traces  are  {e,  a,  ab}. 

Secondly,  it  is  even  possible  that  some  action  is  ignored  in  the  sense  that  it  does  not 
occur  at  all  in  the  reduced  LTS  although  it  is  enabled.  Consider  the  system  L3  II  L4  in  Fig¬ 
ure  2.  If  A(is)  =  {m},  then  the  stubborn  set  method  investigates  only  the  transition 
is  -m-»  is.  But  this  transition  takes  the  system  back  to  a  state  that  has  already  been  investi¬ 
gated,  so  the  method  terminates.  Intuitively,  the  justification  for  not  investigating  a  ini¬ 
tially  is  that  a  is  independent  of  m,  so  the  occurrence  of  a  may  be  postponed  until  u  has 
occurred.  But  in  this  example,  u  can  occur  an  infinite  number  of  times.  By  postponing  the 
occurrence  of  a  until  u  is  no  more  enabled,  the  stubborn  set  method  postpones  a  forever. 


4.  Preserving  Trace  Equivalence 

Throughout  this  and  the  following  two  sections,  let  L  =  (5,  E7,  A,  is)  be  an  LTS 

such  that  all  of  its  states  are  reachable  from  is,  A  a  stubborn  set  generator  for  it,  and  L  = 
(S,  E^  2/,  A,  is)  the  resulting  reduced  LTS. 


In  order  to  prevent  the  stubborn  set  method  from  changing  the  ordering  of  visible 
actions,  we  introduce  an  additional  condition  for  the  selection  of  stubborn  sets.  The  condi¬ 
tion  requires  that  either  all  enabled  actions  in  the  stubborn  set  are  invisible,  or  the  set  con¬ 
tains  all  (both  enabled  and  disabled)  visible  actions. 

(A4)  For  every  s  e  S,  either  Zy  n  A(s)  n  next{s)  =  0  or  Zy  c  A(s)  (or  both). 

It  is  clear  from  AcA  that  triL)  c  tr(L).  The  system  L3  II  L4  in  Figure  2  demonstrates 
that  A4  is  not  sufficient  for  ensuring  that  tr{L)  c  tr(L).  A4  suffices,  however,  for  showing 
that  sfail(L)  c  sfail(L). 

Lemma  4.1  If  AO,  Al,  A2  and  A4  hold,  then  sfail{L)  c  sfail(L). 

Proof  Let  (a,  A)  €  sfail(L).  There  are  n  >  0,  a\9  ...,  an  e  Z  and  sq,  •  ••>  sn  €  S  such 
that  5q  =  is,  j0  -«i— >  ...  -an-*  sn,  vis(a^..an)  =  a,  and  next(sn)  c  Zy- A.  We  will  show 
for  increasing  values  of  m  that  there  are  s0m,  ...,  sn  m  e  S  and  a  permutation  a\  m,  ..., 
an,m  ab  •••»  Such  that  Sq  m  —  is ,  Jq  m  •  ••  sm,m  “~am+  \,m~^  •** 

-an  m—>  snm,  vis(ay  =  a,  and  The  biggest  value  of  m  for  which  this 

will  be  shown  is  at  most  n,  and  it  has  the  property  that  am+\  m, ...,  an  m  e  Z7,  next(sm  ^)  c 
Z^  and  riext(sm  m)  n  A  =  0.  This  implies  that  vw(ai  OT)  =  a  and  (a,  A)  s  sfail(t). 

The  claim  becomes  valid  for  m  =  0  if  we  choose  Sq  q-  sq  -  is,  =  sif  and  ai  0  =  a i 
for  1  <  i  <  n.  For  the  induction  step,  assume  that  the  claim  holds  for  m.  Consider  the  situa¬ 
tion  where 

(*)  cij  m  e  A(5m  m)  for  some  m  +  1  <  j  <  n,  and  a*  m  <£  A(sm ;  m)  for  m  +  1  <  k  <  j. 

If  (*)  holds,  then  Al  guarantees  the  existence  of  ^m+i>m+i,  ^,m+l  suc^  ^at 

sm,m~aj,m~:^  sm+\,m+b  sn,m+ 1  =  sn,rrv  an^  ^m+l^+l  ~am+2,m+\~*  •••  ~anym+ sn,m+ 1* 
where  the  sequence  am+2,m+l"-anym+\  ls  obtained  from  am+1 m...an m  by  removing  aj  m. 

We  define  am+\tm+\  —  ajynv  ^/n+l  =  an^  sk,m+ 1  =  sk,m  an(^  ak,m+\  =  ak,m  ^  ^ 

<  m.  If  aj  m  €  Z7,  then  clearly  vis(ax ,m+1..;^>m+1)  =  vw(al  m...0n  m).  Otherwise  a^m  e 
2,v  n  A(5m  m)  n  n^r(^m  m).  By  A4,  Zv  c  A(,sm  m).  Thus  by  (*)  ak  m  £  Zv  for  m  +  1  <  /:  < 
j ,  and  vw(a1>m+|...antm+i)  =  Therefore,  the  induction  step  follows,  if  we 

can  show  (*). 

If  A(sm  m )  contains  some  enabled  invisible  action  a,  then  sn  -f-a-h ,  because  next(sn )  c 
Z^  So  A2  implies  (*).  If  all  enabled  actions  in  A(sm  m)  are  visible  and  at  least  one  of 
am+l  m, . . .,  an  m  is  visible  —  let  it  be  called  av  m  — ,  then  m  <  n.  Thus  next(sm  m)  *  0  and 
contains  an  enabled  action  by  AO.  Because  it  is  visible,  A4  implies  Zy  c  A(sm  m). 
Therefore,  av  m  s  A(sm  m),  and  (*)  holds  for  some  m+  1  <j  <  v. 

If  all  enabled  actions  in  A(sm  m)  and  none  of  am+  \  an  m  are  visible,  then  m  has 

reached  its  biggest  value.  We  have  all  parts  of  the  claim  except  that  next(sm  m)  n  A  =  0. 
To  obtain  a  contradiction,  assume  that  a  €  next(sm  m)  n  A.  Because  next(sn)  cZv-A,  we 
have  a  g  next(sn),  and  A2  guarantees  that  at  least  one  of  am+x  m,  ...,  an  m  is  in  A(sm  m). 
Let  ak  m  be  the  first  of  them.  Then  Al  implies  that  ak  m  is  an  enabled  invisible  action  in 
A(jm  m ),  a  contradiction.  Thus  next(sm  m)  n  A  =  0  holds.  □ 

To  preserve  all  traces,  it  is  sufficient  to  add  a  condition  that  guarantees  that  visible 
actions  are  not  ignored  for  “too  long”.  It  suffices  to  require  that  for  every  state  in  the 
reduced  LTS  and  for  all  actions  that  are  enabled  in  that  state,  it  is  possible  to  reach  a  state 
in  the  reduced  LTS  such  that  the  action  is  in  its  stubborn  set. 

(AS)  V  s  e  S:  V  a  e  next(s ):  3  s'  e  S:  s  s'  a  a  e  A(s'). 


Theorem  4.2  If  AO,  Al,  A2,  A4  and  A5  hold,  then  tr(L)  =  tr(L). 


Proof  It  is  clear  from  AcA  that  tr(L)  c  tr{L).  To  prove  that  tr(L)  c  tr(L),  assume 
that  0  €  tr{L ).  There  are  n  >  0  and  a j, . . an  e  L  such  that  is  -a\ . .  and  vis(ai . .  .a^)  = 
0.  We  will  show  for  increasing  values  of  m  the  existence  of  sm ,  tfj,  ...»  aw,  and  a\,  ...,  <4 
such  that  is  ^ . .  .a*-»  and  v/5(«i . .  . . . a'k )  =  0.  We  let  m  grow  until  it 

reaches  such  a  value  that  v/s(a'j . .  .ak)  =  e,  implying  that  0  =  vis(&i . .  .am)  e  rr(L). 

The  claim  becomes  valid  for  m  =  0  if  we  choose  jq  =  w*  k  -  and  a-  =  a,-  for  1  <  /  < 
n .  Assume  that  the  claim  holds  for  an  m  such  that  vw(aj . .  .a'k)  *  e.  We  consider  two  cases. 

(a)  If  at  least  one  of  a\>  ...,a'k  belongs  to  A(sm)f  then,  like  before,  Al  guarantees  the 
existence  of  a  j  and  sm+^  such  that  sm  sm+1  and  sm+ j  -a,1...aj_1aj+1...a£— >.  Further¬ 
more,  vis(cija\...aj_iaj+i...ak)  =  vis(a\..Mk)  due  to  A4.  So  the  claim  is  valid  for  m+ 1. 

(b)  Assume  that  none  of  a\,  ak  belongs  to  A(sm ).  At  least  one  of  them  is  visible 

because  vis(a\ . . ,a'k)  ^  e.  Since  sm  AO  gives  next(sm)  n  A(5m)  *  0.  A4  implies  that 

if  a  e  next{sm)  n  A(5W),  then  a  is  invisible,  because  otherwise  the  visible  one  of  a\t 
would  belong  to  A(5OT).  Furthermore,  if  is  any  state  such  that  sm-a—>sm+ 1,  then 
sm  sm+{  because  a  e  A(sm)y  and  A2  implies  that  5m+1  Again,  the  claim  is 

valid  for  m+1. 

It  remains  to  be  proven  that  m  may  reach  such  a  value  that  vis(a\...ak)  =  e.  The  case 
(a)  clearly  makes  progress  towards  such  a  value,  but  the  case  (b)  does  not.  We  will  now 
show  that  it  is  possible  to  ensure  that  the  case  (b)  occurs  at  most  a  finite  number  of  times 
without  an  intervening  (a).  A5  guarantees  that  there  is  s'  such  that  sm  s'  and  a\  e  A(5')- 
Let  s0  -bx^>  s{  -b2^  . . .  -bh^>  sh  be  some  shortest  path  from  sm  to  s'  in  L.  No  assump¬ 
tions  about  the  choice  of  a  from  next(sm)  n  A(sm)  were  made  in  the  case  (b).  So  we  may 
choose  a  =  b\  in  sq,  a  =  b2  in  and  so  on,  until  a  state  s)  is  reached  such  that  the  condition 
of  case  (a)  holds.  This  happens  after  h  steps  at  the  latest.  □ 

A  practical  and  reasonably  fast  implementation  of  A5  for  finite  reduced  LTSs  was 
described  in  [Val91].  It  is  based  on  recognising  the  terminal  strong  components  of  L.  A 
non-empty  set  of  states  ST  c  S  is  a  terminal  strong  component,  if  for  every  s  e  ST,  s  -^*  s' 
if  and  only  if  s'  e  Sp  The  idea  is  to  choose  an  arbitrary  state  from  each  terminal  strong 
component  and  ensure  that  every  action  that  is  enabled  in  it  occurs  somewhere  in  the  com¬ 
ponent.  The  algorithm  is  built  upon  Taijan’s  strong  component  algorithm  [Tar72, 
AHU74].  (Tarjan’s  algorithm  suits  the  task  better  than  the  more  modem  strong  component 
algorithm  described  in  [CLR90],  for  instance.) 

Instead  of  A5,  the  following  condition  could  be  used.  It  takes  into  account  the  fact 
that  only  visible  actions  are  important  for  traces,  at  the  price  of  slightly  more  complicated 
or  less  efficient  implementation.  It  may  thus  save  states  when  the  occurrence  of  some 
invisible  enabled  action  does  not  lead  to  occurrences  of  any  visible  actions.  It  is  more 
complicated  to  implement  than  AS,  because  it  is  easy  to  check  whether  an  action  occurs 
anywhere  in  a  terminal  strong  component,  but  somewhat  more  complicated  to  ensure  that 
a  disabled  visible  action  is  taken  into  account  in  some  state  of  the  component.  The  main 
reason  for  mentioning  A5'  is  that  it  has  an  interesting  relationship  with  the  condition  A7 
presented  in  the  next  section. 

(AS')  V  s  e  5:  V  a  e  3  /  e  5:  5  ^>*  J  a  a  e  A(s'). 


5.  Preserving  CSP-  and  CFFD-Equivalence 

Consider  the  system  Lj  II L4  in  Figure  2.  If  a  is  visible  and  u  is  not,  then  its  divergence 
traces  are  e  and  a.  The  conditions  imposed  so  far  allow  choosing  {a}  as  the  stubborn  set  of 
the  initial  state  of  the  system.  The  resulting  reduced  LTS  does  not  have  e  as  a  divergence 
trace.  As  a  consequence,  the  conditions  AO  to  A5  are  not  sufficient  for  guaranteeing  CSP- 
or  CFFD-equivalence  between  the  full  and  reduced  LTS. 

Regarding  CSP-equivalence,  only  the  minimal  divergence  traces  are  important.  In 
order  to  preserve  them,  a  condition  is  formulated  that  requires  the  presence  of  an  enabled 
invisible  action  in  the  stubborn  set,  if  such  an  action  exist. 

(A6)  For  every  se  S,  if  Z/ n  next(s )  *  0,  then  A(s)  nl/O  next(s)  *  0. 

Lemma  5.1  If  AO,  Al,  A3,  A4  and  A6  hold,  then  mindiv(L)  —  mindiv(L). 

Proof  Obviously  mindiv(L)  c  divtr{L).  The  claim  follows  if  we  show  that  also  min- 
div(L)  c  divtr(L).  If  a  s  mindiv(L),  then  there  are  al0,  a2>0, ...  such  that  is 
and  vis(ax j0a2>o---)  =  G-  Let  s0  =  is.  We  will  show  that  for  every  m  >  1,  there  are  sm,  am, 
and  ax  m,  a2  m,  ...  such  that  s0  -vi  -d2~*  ■■■  -&m~*  sm>  sm~a\,xna2,m-"^*’ 

vis(did2... dma x  ma2  m...)  =  <j.  As  a  consequence,  vis(did2...)  e  divtr(L).  Furthermore, 
v/.v( d | «2 . . . )  e  divttiL)  and  vis(did2. . . )  Ss  Cf  s  mindiv(L),  so  vis(d\d2. . . )  =  a. 

Assume  that  the  claim  holds  for  m. 

If  at  least  one  of  axm,a2m, ...  e  A(sm),  then  the  existence  of  sm+l,  am+h  andalm+1, 
a2,m+\ '  ■■■  follows  from  Al,  and  A4  guarantees  that  vis{dxd2. . .dm+la{  m+xa2  m+x.. .)  = 
vis(dld2...dmaUma2m...). 

Assume  now  that  none  of  aX  m,  a2  m, ...  e  A(sm).  AO  implies  that  there  is  some  am+ , 
e  A(sm)  n  next(sm).  If  aXm  e  then  dm+i  e  I/due  to  A4.  Ifalme  S/(  then  A6  guaran¬ 
tees  that  there  is  some  am+l  e  A(sm)  nl,n  next(sm).  In  both  cases,  A3  gives  the  required 
Sm+I  and  al,m+l’  a2,m+l .  D 

Lemma  5.2  If  AO,  Al,  A2,  A4  and  A6  hold,  then  sfail(L )  =  sfail(L). 

Lemma  4.1  guarantees  that  sfail(L)  e  sfail(t).  To  show  sfail(L)  c  sfail(L),  let  (ct,  A) 
e  sfail(L).  There  are  s  s  S  and  ax,  ...,  an  €  S  such  that  is  -ax...an->  s,  vis(ax...an)  =  a, 
and  next(s)  clv-A.  Assume  that  s  -a->.  A6  and  hext{s)  e  Y.v  imply  that  a  is  visible. 
Thus  Y.y  c  A(s)  by  AO  and  A4.  Therefore,  a  e  A(s)  and  a  e  riext(s).  As  a  conclusion, 
next(s)  c  next(s),  and  (a,  A)  e  sfail(L).  □ 

The  condition  A6  allows  us  to  strengthen  the  proof  of  Lemma  4. 1  a  bit.  Namely,  if  it 
is  assumed,  then  the  reduced  LTS  contains  all  reachable  stable  states  of  the  full  LTS.  That 
is,  if  AO,  Al,  A2,  A4  and  A6  hold,  is  — »*  s,  and  next(s)  c  then  s  e  S. 

It  is  now  straightforward  to  show  that  AO,  ...,  A4  and  A6  suffice  to  preserve  CSP- 
equivalence. 

Theorem  53  If  AO,  Al,  A2,  A3,  A4  and  A6  hold,  then  CSPfail(L)  =  CSPfail(L)  and 
CSPdiv(L)  =  CSPdiv(L). 

Proof  Lemmas  5.1  and  5.2  give  mindiv(L)  =  mindiv(L)  and  sfail(L )  =  sfail(L),  from 
which  CSPdiv(L)  =  CSPdiv(L)  and  CSPfail(L)  =  CSPfail(L)  follow  by  Definition  2.6.  □ 

Notice  that  A5  was  not  needed  for  preserving  CSP-equivalence.  This  is  because  an 
action  may  be  ignored  only  after  a  divergence  trace,  and  CSP-equivalence  does  not  need 
any  information  about  the  behaviour  after  a  divergence  trace.  When  implementing  a  stub- 


Figure  3  A  reduced  LTS  obeying  AO  to  A6 

bom  set  method  for  CSP-equivalence,  it  is  not  necessary  to  continue  analysis  from  states 
that  have  proven  divergent. 

The  conditions  AO  to  A6  are  not  sufficient  for  preserving  CFFD-equivalence,  not 
even  if  A5  is  included.  This  can  be  seen  from  the  system  L5  II  Lg  in  Figure  3.  In  it,  a  is  vis¬ 
ible,  and  u  and  v  are  invisible.  The  stubborn  set  used  at  the  right-most  state  in  the  top  row 
is  { v} .  The  full  LTS  has  the  infinite  path  is  - uav co-»,  so  a  €  divtriL 5  II  L6).  However,  a  £ 
divtriL). 

In  order  to  preserve  CFFD-equivalence,  a  new  condition  is  introduced.  It  requires 
that  every  infinite  path  of  the  reduced  LTS  contains  at  least  one  state  whose  stubborn  set 
contains  all  visible  actions.  Because  the  start  state  of  the  path  needs  not  be  the  initial  state, 
the  condition  may  be  applied  also  to  any  suffix  of  an  infinite  path.  Thus  all  infinite  paths 
should  have  infinitely  many  states  with  all  visible  actions  in  their  stubborn  sets. 

(A7)  For  every  s0,  jj,  ...  €  S  and  a\,  a2y  ...  €  Z,  if  s0  sx  •••*  then  there  is 
i  >  0  such  that  Ev  c  A(Sj). 

Lemma  5.4  If  AO,  Al,  A3,  A4  and  A7  hold,  then  inftr{L)  =  inftrijL).  If,  furthermore, 
A6  holds,  then  divtiiL)  =  divtriL). 

Proof  The  parts  divtriL)  c  divtr(L )  and  inftiiL)  c  inftr(L)  are  obvious  from  AcA. 
To  prove  inftr(L)  c  inftriL)  and  divtriL)  c=  divtr(L)y  let  s0  =  is  and  let  aXOy  a2,Q>  —  be  such 
that  0^2, and  vis(ax =  G  e  divtHJL)  u  inftr(L).  We  demonstrate  for 
every  m  >  0  the  existence  of  sm ,  am>  and  ax m,  a2my  ...  such  that  50  ^d \ sx  ... 

~dm~^  sm>  srn  ^1,^2, nr  •  and  vis(dxa2. .  •dmai  ma2  m. . . )  =  a. 

Assume  that  the  claim  holds  for  m.  If  Ev  n  A(sm)  n  next(sm)  =  0,  then  AO  guarantees 
that  next(sm)  *  0,  and,  depending  on  whether  any  of  aXmy  a2  my  ...  e  A(sm)y  either  Al  or 
A3  yields  sm+Xy  dm+x,  and  aXm+Xy  a2,m+l , ...  with  the  required  properties.  If  Zy n  A(^m)  n 
next(sm)  *  0  and  at  least  one  of  aXmy  a2  my ...  e  Ev  then  A4  guarantees  that  ctj  m  e  A(sm) 
for  some  j  >  0,  and  Al  yields  sm+1  and  so  on.  If  Z y  n  A(sm)  n  next(sm)  *  0  and  none  of 
al  m,  a2  my ...  e  Zy  then  a  e  divtriL).  A6  and  sm  -ax  m->  imply  that  there  is  a  e  A(^m)  n 
next(sm)  n  Z/.  Again,  either  Al  or  A3  yields  Jm+1  etc. 

Because  vis(dxa2. . .dmaXma2m. . . )  =  a  for  every  m  >  0,  we  have  vwCa^...)  <  o. 
Because  condition  A7  guarantees  that  Z y  c  A(sm)  for  infinitely  many  my  it  is  not  possible 
that  vis(axa2...)  <  a.  Therefore,  vis(axd2. . . )  =  a,  and  the  claim  has  been  proven.  □ 

Theorem  5.5  If  AO  to  A4  and  A6  and  Al  hold,  then  L  and  L  are  CFFD-equivalent. 

Proof  Lemmas  5.2  and  5.4  give  sfail(L)  =  sfail(L)y  divtriL)  -  divtriL)  and  inftriL)  = 
inftriL).  That  stable(L)  =  stable(L)  follows  directly  from  AcA  and  A6.  □ 

Practical  implementations  of  A4,  A6  and  Al  have  been  described  in  [Val92a, 
Val92b].  In  them,  A4  and  A6  are  taken  into  account  in  the  construction  algorithm  for  stub¬ 
born  sets.  To  obtain  best  reduction  results,  the  implementation  tries  first  to  find  a  stubborn 
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Figure  4  A  reduced  LTS  obeying  AO  to  A7 

set  with  no  enabled  visible  actions.  If  the  construction  of  stubborn  sets  is  based  on  an  inde¬ 
pendency  relation,  as  is  often  the  case,  then  A4  can  be  also  implemented  simply  by  treat¬ 
ing  all  visible  actions  as  not  independent  of  each  other.  In  the  context  of  Theorem  3.2  this 
could  be  done  by  adding  to  the  parallel  composition  one  more  process  L0  =  (S0,  Zyo>  £/o 
Aq,  isQ)  such  that  S0  =  { is0) ,  Zyo  =  u  . . .  u  E/0  =  0,  and  A 0  =  S0xIty0x  S0. 

The  implementation  of  A7  in  [Val92a,  Val92b]  assumes  that  the  reduced  LTS  is  finite. 
Under  that  assumption,  A7  becomes  equivalent  to  the  requirement  that  every  cycle  of  the 
reduced  LTS  contains  a  state  whose  stubborn  set  contains  all  visible  actions.  (A  cycle  of  L 
is  a  set  {sj,  ...,  j,,}  of  states  such  that  there  are  actions  aj,  ...,  an  such  that  -#2“ *  s2 
...  sn  and  sn  - a Sj.)  The  articles  [Val92a,  Val92b]  describe  an  efficient 
technique  for  detecting  and  repairing  cycles  which  do  not  satisfy  the  above  requirement. 
An  alternative,  not  equivalent,  implementation  of  A7  can  be  found  in  [GK+95],  for 
instance. 

A7  has  an  interesting  relationship  with  A5'.  A  deadlock  state  can  be  considered  as  a 
state  where  all  actions  are  in  the  stubborn  set.  Therefore,  A7  claims,  in  essence,  that  for 
any  state  in  the  reduced  LTS,  a  state  where  all  visible  actions  are  in  the  stubborn  set  is 
eventually  reached.  A5'  claims  that  for  any  state  in  the  reduced  LTS  and  any  visible 
action,  it  is  always  possible  to  go  into  a  state  where  the  action  is  in  the  stubborn  set.  A7  is 
thus  strictly  stronger  than  A5'.  This  added  strength  was  needed  to  guarantee  that  all  infi¬ 
nite  executions  have  a  correct  representative  in  the  reduced  LTS. 

6,  Preserving  Branching  Bisimilarity 

A  method  that  is  close  to  the  stubborn  set  method  was  applied  in  [GK+95]  to  the  ver¬ 
ification  of  formulae  in  the  CTL*-X  logic  and  to  constructing  reduced  state  spaces  that  are 
branching  bisimilar  with  full  state  spaces.  In  this  section  we  translate  the  method  into  the 
framework  of  this  article.  We  give  it  a  new  correctness  proof  that  is  simpler  than  the  origi¬ 
nal  one  and  allows  non-deterministic  transitions.2 

We  first  demonstrate  that  AO  to  hi  do  not  guarantee  that  the  reduced  LTS  is  even 
weakly  bisimilar  with  the  full  LTS.  Figure  4  shows  a  counter-example.  In  it,  a ,  b  and  c  are 
visible  and  u  is  invisible.  The  full  LTS  contains  a  state  where  the  next  visible  action  may 
be  b  or  c  but  not  a ,  but  the  reduced  LTS  does  not  contain  such  a  state. 

It  is  apparent  from  the  above  counter-example  that  a  very  strong  condition  is  needed 
to  preserve  weak  and  branching  bisimilarity.  So  we  require  that  if  a  stubborn  set  does  not 

2During  the  POMIV  ’96  workshop  it  turned  out  that  [Pel96b]  contains  a  very  similar  proof  to 
the  one  presented  in  this  section.  The  [Pel96b]  and  [GK+95]  proofs  cover  also  the  preservation  of 
CTL*-X  that  the  proof  in  this  section  lacks,  but  they  assume  deterministic  structural  transitions. 


Figure  5  Illustration  of  super-determinism 


contain  all  actions,  then  it  contains  only  one  enabled  action,  and  (unlike  the  w-action  in 
Figure  4)  an  occurrence  of  that  action  may  have  only  one  outcome.  Furthermore,  this 
action  should  be  invisible  and  commutative  with  all  other  enabled  actions,  and  retain  its 
nice  properties  when  other  actions  occur.  Except  invisibility,  these  requirements  are  for¬ 
mulated  in  the  notion  of  super-determinism . 

Definition  6.1  Action  a  is  super-deterministic  in  state  Sq,  if  and  only  if  for  every 
n  >0,  sx>  ...,sne  S,  andaj,  an  e  Z-  {a}  such  that^o-a^  ...  -an-±sn>  there  are  s'0, 
...,  s'n  such  that 

•  $o  -dx->  . . .  s'n  and 

•  for  every  0  <  i  <  n,  ^  5-  and  {  s  e  S  I  s,*  -a— >  s  }  =  {$•}.  □ 

Super-determinism  is  illustrated  in  Figure  5.  The  following  is  easy  to  check  from 
Definition  6.1. 

Lemma  6.2  If  a  is  super-deterministic  in  s  and  s  s'  where  a'  *  a ,  then  a  is 
super-deterministic  in  s'.  □ 

The  branching-bisimilarity-preserving  stubborn  set  method  requires  that  a  stubborn 
set  either  contains  all  actions,  or  contains  only  one  enabled  action.  In  the  latter  case,  the 
action  should  be  super-deterministic  and  invisible. 

(A8)  For  every  s  e  5,  either  A(s )  =  Z,  or  there  is  a  e  Z7  such  that  A(s)  n  next(s)  =  {a} 
and  a  is  super-deterministic  in  s. 

Theorem  6.3  If  A5  and  A8  hold,  then  L  and  L  are  branching-bisimilar. 

Proof  We  will  show  that  the  following  relation  is  a  branching  bisimulation 
between  L  and  L : 

s  ~  s  if  and  only  if  there  are  n  >  0,  %  ...,  sn  e  5,  and  ax,  ...>ane  Z/  such  that  s  =  % 

sn  =  s,  50  . . .  -an-+  sm  and  a,  is  super-deterministic  in  s^x  for  1  <  i  <  n. 

It  is  obvious  from  the  definition  that  s  ~  s  for  every  s  e  S.  Therefore,  any  transition 
s  s'  of  L  can  be  simulated  by  the  sequence  s  -dX . .  s  -a—>  s'  of  L.  It  remains  to 
be  proven  that  any  transition  <y0  -a-*  s'o  of  L  can  be  simulated  by  L. 

If  a  =  cij  for  some  1  <j  <  n  and  a  *  at  for  every  1  <  i  <  y,  then  a  is  invisible.  Because 
of  the  super-determinism  of  ax>  ...,  dj_x  in  %  ***>  sj-2>  there  ^  s'b  *•**  *^-1  such  that 
■*6  -a\->  •  •  -  -fljL. i“>  s'j-\  and  st  s\  for  1  <  i  <j  and  ax, ...,  d^x  are  super-deterministic 
in  5q,  ...»  s'j_ 2.  Furthermore,  s'j_x  =  Sj  because  aj  is  super-deterministic  in  Sj_x.  As  a  conse¬ 
quence,  s  ~  5q,  and  L  may  simulate  the  transition  s0  $o  by  doing  nothing. 

If  a*  aj  for  every  1  <j  <  n,  then  the  super-determinism  of  ax,  ...,  dn  in  ^0,  ...,  sn_x 
guarantees  the  existence  of  s\9  ...,  s'n  such  that  sn  -a— >  s'n,  s'0-dx-^>  ...  s'n,  and  dXy 

...,dn  are  super-deterministic  in  ...,  s'n„x.  If  d  &  A(sn),  then  by  A8  there  are  sn+x,  ^+1, 


and  an  invisible  an+l  such  that  sn  X+i^  ^+i  -a->  4+1-  4  -a„+i->  4+i,  and  a„+1  is 
super-deterministic  in  and  s'.  Moreover,  there  are  only  one  an+[  and  sn+1  such  that 
sn  Jn+l-  By  induction,  if  a  <t  A(sn),  ...,  then  by  A8  there  are  jn+1,  ..., 

sn+b  ^/i+l’  •••>  sn+b  an^  invisible  an+ 1 ,  ...,  on+k  such  that  sn  —an+\—*  ...  —cin+k— > 
Vt-*-0-*  4+*>  sn~an+ l-*  -a n+k 4+*>  ar>d  an+i»  •••>  ««+*  are  super-deterministic  in 
V  •••>  ^n+jfc-i  an<l  in  s'„,  r'+fc-i-  Moreover,  is  the  only  state  that  can  be  reached 
from  sn  by  k  steps  in  L  AS  guarantees  that  a  e  A(sn±k)  for  some  k.  For  that  k, 
sn+k  s'n+b  sn+k  ~  50>  and  s'n+k  ~  s'0.  As  a  consequence,  L  may  simulate  the  transition 
*0  -a-*  4  by  the  sequence  sn  -an+i  ■  ■  -an+k—>  sn+k  s'n+k.  For  future  use  we  point  out 
that  sn+i  ~  .s’o  for  every  0  <  i  <  k.  □ 

The  following  fact  is  worth  mentioning  here.  It  guarantees,  among  other  things,  that 
L  simulates  all  divergence  traces  of  L  by  divergence  traces,  instead  of  doing  nothing.  As  a 
consequence,  L  preserves  certain  branching-time  liveness  properties  of  L. 

Theorem  6.4  Assume  that  A5  and  A8  hold.  If  s0  .s,  -a2->  ...  and  s'0  ~  s0, 
where  s'0  e  S,  then  there  are  4.  s2,  ...  and  a\,  a'2,  ...  such  that  s'0  A/, -4  s\  ±a'2^>  ...  and 
vtj(a]a2. . . )  =  vis(a\a2. . . ).  Furthermore,  for  every  i  >  0  there  is  ;  >  0  such  that  s'  ~  sh  and 
for  every  j>  0  there  is  i  >  0  such  that  s'  ~  s^ 

Proof  Consider  the  construction  used  for  showing  that  L  can  simulate  transitions  of 
L.  When  it  is  applied  repeatedly  to  the  transitions  50  jj,  .y,  -a2->  s2,  and  so  on  start¬ 
ing  at  Sq  -  s0,  it  finds  for  each  i  >  0  a  k(i)  >  0  and  states  s'm+u  ....  s'k(i+ and  actions 
a*(/)+l>  •••*  ak(i+l)  such  that  k( 0)  =  0,  4(i)  ...  ^(r+i)-^  4(/+l).  and  sj  ~  st  and 

vis(a\...Oj)  =  v/s(tf[...a,)  when;  =  k(i)  and  when  k(i)  <j<  k(i+ 1).  The  definition  of 
guarantees  for  each  i  >  0  the  existence  of  an  action  sequence  p,  such  that  s,  -p,— >  4qy  Let 
n,  be  the  length  of  p,.  The  construction  implies  that  n,  =  n0  +  k(i )  -  i  for  every  i.  Because  nt 
cannot  become  negative,  k(i)  has  to  grow  without  limit  when  i  grows  without  limit.  □ 

The  condition  A8  is  not  difficult  to  implement.  The  following  theorem  gives  a  suffi¬ 
cient  structural  condition  for  super-determinism  in  the  spirit  of  Theorem  3.2.  It  requires 
that  all  component  LTSs  that  synchronise  on  the  super-deterministic  action  can  perform 
next  only  that  action  and  in  only  one  way.  A(s)  may  be  implemented  by  seeking  for  a 
super-deterministic  invisible  action  a  and  choosing  A(s)  =  {a}.  If  that  fails,  then  one 
should  choose  A(.v)  =  X,  that  is,  all  (enabled)  actions  should  be  used  for  constructing  the 
immediate  successors  of  the  state. 

Theorem  6.5  Let  Z-j  II  ...  II  Ln  be  a  parallel  composition  of  the  LTSs  =  (Sj,  Xy,, 
E/1;  Aj,  «i),  ...,  Ln  =  (S„,  Xy„,  X/„,  A„,  isn),  and  let  (jj, ...,  s„)  -<2— >  (jj, ...,  4)-  Assume 
that  for  every  1  <  i  <  n  such  that  a  e  X,,  and  for  every  a'  e  X,  and  s'  e  Sr  j,-  s' 

implies  a'  =  a  and  /  =  s\.  Then  a  is  super-deterministic  in  (slt ...,  sn).  □ 

A  “terminal  strong  component”  technique  for  the  implementation  of  A5  when  the 
reduced  LTS  is  finite  was  mentioned  in  Section  4.  In  the  case  of  branching  bisimilarity,  if 
A(s)  *  X,  then  s  has  only  one  successor  state  in  the  reduced  LTS.  Therefore,  strong  compo¬ 
nents  that  violate  A5  collapse  to  cycles.  This  simplifies  the  detection  of  strong  compo¬ 
nents  that  violate  A5.  Indeed,  they  may  be  detected  and  repaired  efficiently  with  the 
techniques  in  [Val92a,  Val92b]  that  were  intended  for  implementing  A7.  For  repair,  it  is 
necessary  to  put  all  enabled  actions  to  the  stubborn  set,  instead  of  all  visible  actions. 


7.  Conclusions 


We  described  several  methods  for  constructing  reduced  labelled  transition  systems 
that  are  equivalent  with  the  corresponding  full  LTSs.  We  covered  “deadlock  equivalence” 
(the  reduced  LTS  has  exactly  the  same  deadlock  states  as  the  full  one),  trace  equivalence, 
CSP-equivalence,  CFFD-equi valence,  and  branching  bisimilarity.  The  methods  are  based 
on  requiring  that  certain  conditions  are  satisfied  by  the  stubborn  sets  used  in  the  states  of 
the  reduced  LTS  (AO,  Al,  A2,  A3,  A4,  A6,  A8),  and  by  the  reduced  LTS  as  a  whole  (A5, 
A7).  The  condition  A8  implies  AO,  Al,  A2,  A3,  A4,  and  A6;  and  A7  implies  a  variant  of 
A5.  Table  1  summarizes  the  conditions  required  by  each  method. 


Table  1:  Conditions  required  by  the  methods  in  this  article 


AO 

Al 

A2 

A3 

A4 

A5 

A6 

A7 

A8 

deadlocks 

X 

X 

X 

trace 

X 

X 

X 

X 

X 

CSP 

X 

X 

X 

X 

X 

X 

CFFD 

X 

X 

X 

X 

X 

X 

X 

branching  bisim. 

X 

X 

Hundreds  of  process  equivalences  have  been  described  in  the  literature,  and  we 
examined  only  a  small  minority  of  them.  Perhaps  the  most  important  equivalence  that  we 
did  not  treat  separately  is  the  weak  bisimilarity  of  the  CCS  theory  [Mil89].  Because 
branching  bisimilarity  implies  weak  bisimilarity,  the  method  for  branching  bisimilarity 
preserves  also  weak  bisimilarity.  On  the  other  hand,  the  more  a  method  preserves,  the  less 
reduction  it  gives.  A  method  that  preserves  weak  bisimilarity  but  not  branching  bisimilar¬ 
ity  might  therefore  lead  to  better  reduction  results  than  the  use  of  the  branching  bisimilar¬ 
ity  method  for  weak  bisimilarity.  Unfortunately,  the  example  in  Figure  4  leaves  little  hope 
of  finding  such  a  method. 

Most  of  the  numerous  equivalences  in  the  literature  are  based  on  a  small  set  of  ideas. 
If  the  experience  with  weak  bisimilarity  will  generalise  to  many  other  equivalences,  then 
it  will  not  be  possible  to  fine-tune  reduced  LTS  construction  methods  to  each  equivalence 
separately.  In  such  a  case  the  methods  presented  in  this  article  might  be  near  optimal  for 
many  equivalences  that  we  did  not  discuss.  It  is,  however,  impossible  to  say  at  the  present 
state  of  knowledge  whether  this  is  really  the  case. 

Most,  if  not  all,  of  the  conditions  AO  to  A8  are  difficult  to  implement  in  their  full  gen¬ 
erality.  Therefore,  the  implementations  mentioned  in  this  article  give  sufficient  conditions 
that  are  often  more  stringent  than  absolutely  necessary,  and  alternative  implementations 
do  not  necessarily  yield  equal  results.  In  Theorem  3.2,  “dependency”  between  transitions 
was  analysed  at  a  rather  coarse  level.  It  seems  possible  to  devise  more  and  more  compli¬ 
cated  structural  conditions  that  correspond  to  more  and  more  careful  analysis.  It  would 
thus  be  hopeless  to  try  to  find  any  “best”  structural  conditions  or  implementations  of  AO  to 
A8.  Furthermore,  although  we  attempted  to  present  AO  to  A8  in  as  abstract  forms  as  possi¬ 
ble,  we  failed  to  capture  all  possibilities.  For  instance,  [Val91]  develops  a  theory  of  so- 
called  weak  stubborn  sets,  where  A2  does  not  hold  for  every  enabled  action.  Again,  it 
seems  hopeless  to  find  any  “most  general”  versions  of  AO  to  A8. 

An  important  topic  not  covered  in  this  article  is  on-the-fly  verification.  The  goal  of  an 
on-the-fly  method  is  to  demonstrate  already  during  the  construction  of  the  reduced  state 


space  the  presence  or  absence  of  some  property.  One  could,  for  instance,  monitor  for  ille¬ 
gal  traces  on-the-fly,  and  stop  the  construction  of  the  reduced  LTS  when  an  illegal  trace  is 
found.  “Ordinary”  (i.e.  based  on  constructing  the  full,  not  a  reduced,  state  space)  on-the- 
fly  methods  have  been  developed  for  several  properties.  Also  the  combination  of  on-the- 
fly  and  reduced  state  space  methods  has  been  investigated  [VaI93,  Pel96a].  The  method  in 
[Pel96a]  is  intended  for  linear  time  temporal  logic  properties,  and  it  was  presented  in  a 
framework  with  deterministic  transitions.  [Val93]  uses  the  framework  of  parallel  LTSs  and 
non-deterministic  actions,  but  there  is  some  evidence  that  the  methods  suggested  in  it  are 
not  necessarily  optimal.  Apparently  some  more  research  is  needed  to  find  the  best  combi¬ 
nation  of  on-the-fly  and  stubborn  set  techniques  for  process- algebraic  verification. 

In  the  process  algebra  literature,  “reduction”  sometimes  means  the  transformation  of 
an  LTS  to  a  smaller,  equivalent  LTS.  Reduction  algorithms  in  that  sense  of  the  word  facil¬ 
itate  compositional  LTS  construction :  if  each  component  process  of  a  parallel  composition 
is  reduced  before  computing  the  parallel  composition,  then  a  smaller,  but  equivalent  result 
is  obtained.  This  approach  may  be  applied  hierarchically  for  even  better  results.  It  is  worth 
noticing  that  the  stubborn  set  method  and  compositional  LTS  construction  take  advantage 
of  different  aspects  of  systems,  and  neither  one  makes  the  other  unnecessary.  That  compo¬ 
sitional  LTS  construction  does  not  make  the  stubborn  set  method  unnecessary  was  demon¬ 
strated  in  [Val92b]  by  analysing  an  example  system  taken  from  [GrS91].  The  example  has 
9n  ■  2n~2  states,  where  n  is  the  number  of  the  components  of  the  system.  The  example  had 
been  intentionally  constructed  to  demonstrate  that  ordinary  compositional  LTS  construc¬ 
tion  does  not  always  work  well.  Indeed,  it  fails  totally  by  yielding  intermediate  LTSs  that 
are  bigger  than  the  full  LTS.  [GrS91]  suggested  an  advanced  compositional  LTS  construc¬ 
tion  method  that  relies  on  some  manual  guidance,  and  requires  the  construction  of  several 
LTSs  from  the  example.  Experimental  evidence  reported  in  [GrS91]  strongly  suggests  that 
the  biggest  of  them  has  4n  +  4  states.  The  CFFD-preserving  stubborn  set  method  is  fully 
automatic  and  requires  the  construction  of  only  one  LTS,  and  the  LTS  has  5 n  states.  So  at 
least  in  this  case,  the  stubborn  set  method  beats  compositional  LTS  construction,  and  com¬ 
pares  favourably  with  its  advanced  version  in  [GrS91]. 
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Abstract 

Partial  order  reductions  are  a  family  of  techniques  for  diminishing  the 
state-space  explosion  problem  for  model-checking  concurrent  programs.  They 
are  based  on  the  observation  that  execution  sequences  of  a  concurrent  program 
can  be  grouped  together  into  equivalence  classes  that  are  indistinguishable  by 
the  property  to  be  checked.  Applying  the  reduction  to  a  description  of  a 
program  results  in  a  reduced  state-space  that  generates  at  least  one  represen¬ 
tative  for  each  equivalence  class.  When  moving  to  branching  models,  e.g.,  as 
in  branching  temporal  logics  or  process  algebras,  the  execution  sequences  are 
grouped  together  into  a  single  tree.  In  this  case,  the  reduction  must  also  be 
sensitive  to  preserving  the  branching  points,  where  executions  with  a  common 
prefix  depart  from  each  other. 


1  Introduction 

Total  order  semantics,  also  referred  to  as  interleaving  semantics ,  are  traditionally 
considered  easier  to  work  with,  as  they  lend  themselves  to  simple  representations 
and  manipulation,  e.g.,  using  finite  state  machines.  Partial  order  semantics  is  more 
recent  in  modeling  concurrent  programs.  It  is  argued  by  its  supporters  that  it  can 
reflect  the  executions  of  concurrent  systems  more  accurately,  and  hence  is  sometimes 
called  true  concurrency.  In  recent  years,  new  research  showed  several  advantages  of 
various  partial  order  specification  and  verification  methods  over  total  order  based 
methods  in  terms  of  efficiency  and  expressiveness. 

Partial  order  reduction  techniques  were  developed  to  alleviate  the  state-space 
explosion  in  automatically  verifying  concurrent  programs  [32,  9,  12,  11,  33,  28,  29, 
IT,  6].  These  techniques  were  integrated  in  tools  such  as  SPIN  [17]  and  VFSM- 
valid  [11].  Using  the  partial  order  reduction  techniques,  it  has  become  possible 
to  analyze  problems  of  larger  size,  which  did  not  lend  themselves  to  automatic 
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verification  before.  The  simplicity  of  the  principles  behind  these  methods  suggest 
that  they  can  be  integrated  into  any  state-based  automatic  verification  tool. 

In  this  paper  we  survey  a  family  of  partial  order  reduction  methods.  We  show 
how  equivalence  relations  can  be  used  to  group  together  sequences  that  are  indis¬ 
tinguishable  with  respect  to  the  specification.  This  allows  to  construct  a  reduced 
state-space  for  the  checked  system.  A  reduced  state-space  for  a  concurrent  sys¬ 
tem  contains  only  representative  sequences  from  each  equivalence  class  rather  than 
all  the  sequences  in  the  class.  An  algorithm  for  deciding  whether  a  specification 
cannot  distinguish  between  equivalent  sequences  for  such  an  equivalence  relation  is 
described.  We  also  show  how  this  approach  can  be  extended  to  deal  with  branching- 
time  specification. 

We  concentrate  here  on  the  reduction  strategy  called  ample  sets  method  [28.  29, 
6].  We  will  mention,  but  not  survey,  related  methods  for  partial  order  based  ver¬ 
ification  and  model-checking,  including  faithful  decompositions  [19,  20],  stubborn 
sets  [32.  33],  persistent  and  sleep  sets  [9,  12,  11].  These  methods  share  the  idea  of 
selecting  only  a  subset  of  the  successors  from  a  given  program  state.  They  differ  in 
the  details  of  selecting  these  subsets,  and  the  properties  preserved  by  the  reduction. 


2  Modeling  Concurrent  Systems 

2.1  State  Spaces  of  Concurrent  Systems 

A  finite  state  system  T  is  a  triple  (5,  T,  t),  where 

•  S  is  a  finite  set  of  states , 

•  T  is  a  finite  set  of  deterministic  transitions.  For  each  transition  a  6  T  we 

associate  a  partial  function  5  5,  with  a  domain  ena  C  S. 

•  l  £  S  is  the  initial  state. 

The  states  ena  C  S  are  those  from  which  a  is  executable  or  enabled.  The  set 
of  transitions  enabled  at  a  state  s  is  denoted  by  enabled(s).  When  a  is  enabled 
from  s.  executing  a  from  s  results  in  the  state  t  =  a(s).  We  will  also  denote 
this  by  (s,  t)  £  a.  Executing  the  transitions  aoai...a,-  hence  obtains  the  state 
a*(ai-i(-  •  -ai(ao(0)  •  *  •))• 

An  interpreted  system  is  a  triple  I  =  (P,  P,  AT),  where 

•  F  =  (S,  T,  i)  is  a  finite  state  system, 

•  P  is  a  finite  set  of  propositions ,  and 

•  M  :  S  *—►  2^  is  the  state  labeling  function. 

In  the  sequel  we  will  use  the  term  system  for  interpreted  finite  state  systems. 

The  (full)  state-space  SP(I)  of  a  system  I  =  (P,  P,  A/)  where  T  =  (5,  T,  i }, 
is  a  labeled  graph  (V’.  E)  such  that 
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•  V  C  S  is  the  minimal  set  of  reachable  states  satisfying: 

1.  *  €  \\ 

2.  If  s  £V  and  ($,  t)  £a  €  7\  then  t  £  l'. 

•  E  =  {s  -^t)\(s,  t)£a£T} 

Thus,  the  state-space  of  I  contains  the  states  reachable  from  the  initial  state  i 
by  repeatedly  executing  the  transitions  T  of  Z.  The  label  of  t  =  s  —  t  is  a. 

The  transitions  sequences  generated  by  I  correspond  to  edge  labels  along  the 
maximal  paths  of  SP(1)  that  start  from  the  initial  state  i.  Hence,  a  transitions 
sequence  is  a  finite  or  infinite  sequence  of  transitions  aoa^  . . .  such  that  there 
exists  a  sequence  of  states  soSjS2  ■ .  .  satisfying 

•  so  =  i  [The  first  state  is  the  initial  state.] 

•  for  each  i  >  0,  (s,\  $t+i)  £  at.  [Each  adjacent  pairs  of  states  correspond  to 
the  execution  of  a  transition.  We  say  that  $,+ 1  is  reached  after  executing  a,-.] 

•  The  sequence  is  maximal,  namely  it  is  either  infinite,  or  ends  with  a  state  s 
such  that  enabled(s)  =  <j> . 

The  states  sequence  that  correspond  to  a  transitions  sequence  t;  is  denoted  by 
states(v).  For  simplicity,  it  is  possible  to  assume  that  all  transitions  sequences 
are  infinite.  This  can  be  achieved  by  adding  a  new  transition  a'  such  that  ena»  = 
S\U<,erena,  and  a'  =  {(s,  s)\s  £  erv}.  In  this  case,  each  state  has  at  least  one 
successor. 

Notice  that  the  state-space  of  a  system  Z  can  be  considered  as  a  more  explicit 
representation  of  Z;  Z  contains  in  5  all  the  potential  states  of  Z,  while  SP{1) 
contains  in  V  only  the  actual  states  that  can  be  reached.  The  partial  order  reduction 
algorithms  are  aimed  at  generating  a  graph  smaller  than  SP{1)  that  represents 
enough  information  about  the  property  that  we  want  to  check. 

For  each  transitions  sequence  v  of  SP(I)  there  is  a  sequence  prop(v)  of  sets  of 
propositions  obtained  in  the  following  way:  if  states(v)  =  $qS\S^  . . then  prop(v) 
is  the  sequence  M(so)M(si)M($2)  ■  -  ••  Thus,  there  are  three  languages  defined  for 
an  interpreted  system  Z: 

•  The  language  C(I)  C  T*  of  transitions  sequences. 

•  The  language  Cstates(Z)  C  5^  of  states  sequences. 

•  The  language  Cprop(X)  C  2pw  of  propositional  sequences. 

A  specification  for  a  system  Z  can  be  given  as  a  language  over  one  of  the  three 
domains  T,  5  or  2P .  Most  specifications  use  transitions  or  propositional  sequences. 
In  the  rest  of  this  section  we  will  usually  treat  the  latter  case;  the  others  can  be 
dealt  with  similarly.  In  model-checking,  the  specification  is  often  given  using  a 
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regular  automaton  over  infinite  words,  e.g.,  as  a  Biichi  automaton,  or  using  a  logic, 
such  as  linear  temporal  logic  (LTL)  [31].  A  system  I  satisfies  the  specification 
corresponding  to  the  language  where  both  are  using  the  same  set  of  propositions 
P ,  iff  Cpropi?)  C  Graph-theoretical  algorithms  [23]  can  then  be  applied  to  state 
space  graphs  to  check  that  I  satisfies 


2.2  Traces  and  Trace  Equivalence 

L  sing  interleaving  semantics  has  a  lot  of  advantages  for  modeling  concurrent  sys¬ 
tems.  In  particular,  its  simplicity  and  use  of  sequences  allows  exploiting  automata 
and  language  theory.  On  the  other  hand,  interleaving  semantics  is  often  criticized 
for  distinguishing  between  entities  that  are  basically  the  same.  Namely,  it  can  dis¬ 
tinguish  between  executions  which  differ  from  each  other  only  by  the  order  of  some 
concurrently  executed  transitions.  This  order  is  largely  artificial.  Trace  semantics 
groups  transitions  sequences  into  equivalence  classes,  allowing  a  higher  abstraction 
of  the  specified  system.  One  can  exploits  this  for  model-checking  properties  that 
do  not  distinguish  between  different  sequences  that  are  trace-equivalent. 

A  concurrent  alphabet  is  a  pair  (T,  D),  where  T  is  a  finite  set  (representing 
transitions  in  our  context),  and  D  C  T  x  T  is  a  symmetric  and  reflexive  relation 
called  the  dependency  relation. 

We  define  trace  equivalence  in  several  steps: 

1.  Define  the  relation  =C  Tm  x  T *  such  that  v  =  vf  iff  v  =  r'  or  t;  =  uabw, 
vf  =  ubaw  for  some  u,w  £T* ,  (a,  6)  £  D. 

2.  Define  the  trace  equivalence  [24]  relation  for  finite  sequences  as  the  reflexive 

and  transitive  closure  of  =.  Thus,  v  =  w  iff  one  can  obtain  t?  from  w  by 
repeatedly  commuting  the  order  of  adjacent  independent  letters. 

3.  Define  trace  preorder  relation  C  among  infinite  strings  as  follows:  v  C  v*  iff 
for  each  finite  prefix  u  of  t,  there  exists  a  finite  prefix  u '  of  v*  and  a  finite 
string  w  such  that  uw  =  u'. 

4.  Define  trace  equivalence  among  infinite  strings  [2]  such  that  v  =  v'  iff  v  C  v' 
and  v 7  C  v . 

Thus,  for  the  concurrent  alphabet  ({a,  6},  {(a,  a),  (6,  b)})  we  have  aabb  =  abab, 
aabb  =  bbaa,  aaab w  C  (<26)",  and  ( ab )"  =  (aab)w . 

Traces  are  then  the  equivalence  classes  of  the  relation  =  over  finite  or  infinite 
strings. 

To  achieve  that  if  v  =  w,  then  v  is  a  transitions  sequence  of  1  iff  w  is  a  transitions 
sequence  of  I,  we  enforce  the  following  two  conditions  for  independent  transitions 
(a,  b)  g  D: 

Dl  if  s  £  ena ,  then  s  €  en*  iff  a(s)  £  en [executing  a  does  not  affect  the 
enabledness  of  6]. 


D2  If  s  £  ena  O  en*  then  0(6(5))  =  6(0(5)).  [When  both  a  and  6  are  enabled, 
executing  them  in  either  order  results  in  the  same  state]. 

2.3  Stuttering  Equivalence 

Denote  =  D*  UE".  The  stuttering  removal  operator  3  :  ►—  E°°  applied  to  a 

string  v  replaces  every  maximal  finite  subsequence  of  identical  elements  by  a  single 
copy  of  this  element.  For  example,  :(aa6aaacc)  =  abac,  3(006000")  =  a6ac". 

Two  sequences  v1  w  will  be  considered  stuttering- equivalent  iff  q t»  =  iju/.  We  de¬ 
note  this  by  v  —  w.  Lamport  argued  [22]  that  a  specification  should  not  distinguish 
between  two  propositional  sequences  that  are  stuttering  equivalent. 

2.4  Fairness  Constraints 

The  total  order  semantics  or  interleaving  semantics  of  a  program  identifies  transi¬ 
tions  (or  states)  sequences  as  executions  of  a  program.  Sometimes,  the  transitions 
sequences  that  are  considered  to  be  executions  are  constrained  using  a  fairness 
assumption .  Such  a  constraint  can  be  given  as  a  language  R.  If  a  fairness  assump¬ 
tion  R  is  imposed,  only  sequences  that  are  fair  are  considered  to  be  execution  of  a 
system.  Hence,  the  fair  transitions  sequences  CK(X)  of  a  system  I  are  C(l)  O  R. 

The  following  fairness  assumption  is  in  particular  natural  when  using  partial 
order  semantics: 

F-fairness.  If  a  transition  a  is  enabled  from  some  state  reached  in  a  fair  execution 
sequence,  then  some  transition  that  is  dependent  on  a  must  appear  later  in 
this  sequence. 

This  fairness  assumption  was  shown  in  [21,  27]  to  be  equivalent  to  restricting 
the  set  of  sequences  to  those  that  are  maximal  with  respect  to  the  relation  C. 


2.5  Syntax  and  Semantics  of  CTL",  CTL  and  LTL 

Let  P  be  a  finite  set  of  propositions.  The  set  of  CTL"  state  and  path  formulas  are 
defined  inductively: 

51.  every  member  of  P  is  a  state  formula, 

52.  if  and  ip  are  state  formulas,  then  so  are  *v  and  A  ip, 

53.  if  tp  is  a  path  formula,  then  A<p  is  a  state  formula, 

PI.  any  state  formula  <p  is  also  a  path  formula, 

P2.  if  ip  are  path  formulas,  then  so  are  ip  A  ip  and  -*tp9 
P3.  if  <p,  ip  are  path  formulas,  then  so  is  <p\Jip. 
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The  modal  operator  A  has  the  intuitive  meaning:  "for  all  paths".  U  denotes  the 
standard  strong  "until".  CTL*  consists  of  the  set  of  all  state  formulae.  The  follow¬ 
ing  abbreviations  will  be  used:  Ep  =  ->A-y,  Ep  =  frueUy?,  =  ->E->p  • 

The  logic  CTL  is  obtained  by  restricting  the  state  modalities  E  and  A  and  the 
path  modalities  U,  F  and  G  to  appear  paired,  i.e.,  in  the  combinations  EU,  EF.  EG, 
AU,  AF  and  AG. 

The  logic  LTL  is  obtained  by  restricting  the  set  of  formulas  to  the  form  Ay?, 
where  p  does  not  contain  A  and  E.  V\e  write  p  instead  of  Ay?,  when  confusion  is 
unlikely.  We  purposely  avoided  using  the  nexttime  operator  X,  which  can  express 
that  a  change  is  made  from  one  specific  state  to  another.  (The  use  of  the  nexttime 
operator  can  defy  the  ability  to  exploit  partial  order  reduction.) 

A  model  for  CTL‘  is  a  quadruple  M  =  (V',  E,  i,  .W).  where  V  are  states.  E  are 
edges,  i  €  V  is  a  distinguished  initial  state,  and  \t  is  an  interpretation  function, 
mapping  V  into  subsets  of  a  set  of  propositions  P.  The  labels  on  the  edges  in 
the  definition  of  the  graph  are  only  used  for  the  benefit  of  the  description  of  the 
suggested  algorithm,  but  are  ignored  by  the  interpretation  of  the  temporal  logics. 

Denote  by  x  =  (s0.st,...)  a  maximal  path  (i.e.,  a  path  that  is  either  infinite 
or  cannot  be  extended)  of  S,  starting  at  s0  €  V.  Denote  the  first  state  of  x  by 
first(n).  The  suffix  of  x,  starting  from  state  s,  will  be  denoted  x<.  The  satisfaction 
of  a  formula  p  in  a  state  s  of  V  is  written  M,s  £=  p.  or  just  s  (=  p.  It  is  defined 
inductively  as  follows: 

51.  s  )=  q  iff  q  €  Af(s),  for  q  €  P, 

52.  s  ->p  iff  not  s  ^  p,  s^=ysAt(>iffs^=y>  and  s  |=  u\ 

53.  s  [=  Ap  iff  x  p  for  every  maximal  path  x  starting  at  s, 

PI.  x  p  iff  first(ir)  p  for  any  state  formula  <p, 

P2.  x  -«p  iff  not  x  tp,  x  £=  <p  A  ip  iff  x  £=  p  and  x  (=  t>, 

P3.  x  1=  pUip  iff  there  is  an  i  >  0  such  that  x,  )=  ip  and  x;  p  for  all  0  <  ;'  <  i. 

When  using  a  fairness  assumption  to  limit  the  execution  sequences,  we  replace 
path  by  “fair  path”  in  the  above  definition.  (As  usual,  we  require  that  a  fairness 
assumption  satisfies  that  an  infinite  sequence  is  fair  iff  each  suffix  of  it  is  fair).  We 
write  M  )=  p  iff  M ,  i  p.  Notice  that  for  an  LTL  specification  A p,  M  ^  A p  iff 
every  (fair)  sequence  of  M  satisfies  p. 

3  Verification  Using  Representatives 

We  are  interested  in  generating  a  reduced  state-space  for  a  system  I  (without  having 
to  construct  first  the  full  state  space).  Although  we  want  the  reduced  state-space 
to  be  as  small  as  possible,  it  must  still  contain  enough  information  to  preserve 
the  checked  property.  The  aim  is  that  the  model-checking  algorithm  would  be 
applicable  to  the  reduced  state-space  instead  of  the  full  one.  Besides  preserving  the 
truth  of  the  checked  specification,  the  reduced  state-space  needs  also  to  be  able  to 
supply  a  counter-example  in  the  case  that  the  specification  does  not  hold  for  the 
checked  system. 
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3.1  Ample  Sub-state-spaces 


A  sub-stale-space  S  for  a  system  I  =  {f,  P,  M)  is  a  labeled  subgraph  {V\  E')  of 
SP(X)  =  (V',  E )  such  that 

•  t  €  V9  [V  includes  the  initial  state], 

•  V'7  C  V',  and 

•  E'CEn(V'xTxV'). 

Similar  to  state-spaces,  a  sub-state-space  S  generates  a  set  of  transitions  se¬ 
quences  £(5),  a  set  of  states  sequences  £,*ate#(S)  and  a  set  of  propositional  se¬ 
quences  Cprop(S).  In  fact,  we  have: 

C(S)  C  C(l),  Cttate,{S)  C  Cstatesi I).  Cprop(S)  C  Cprop(I) 

Definition  3.1  A  language  C  ts  satd  io  be  closed  under  an  equivalence  relation  — , 
if  for  every  equivalence  class  C  of  — ,  either  C  C  C  or  C  O  C  =  <t>.  We  also  say  that 
—  saturates  C. 

Definition  3.2  A  sub-state-space  of  a  system  I  is  satd  to  be  ample  with  respect 
to  the  equivalence  relation  —  if  it  generates  at  least  one  transitions  (or  states,  or 
propositional)  sequence  for  every  equivalence  class  C  of  —  such  that  C  O  £(Z)  ^  <p . 

The  following  simple  observation  suggests  the  use  of  equivalences  in  conjunction 
with  sub-state-spaces: 

Let  be  the  language  of  a  specification  <p  that  is  closed  under  an 
equivalence  relation  — .  Let  S  be  an  ample  sub-state-space  for  a  system 
1  with  respect  to  Then,  C(S)  C  L #  (Cprop($)  Q  £*,  respectively) 
iff  C(l)  C  Lp  (Cprop(X)  C  resp.). 

To  exploit  the  above  observation,  we  need  an  equivalence  relation  —  where  the 
following  exist: 

1.  An  effective  way  to  decide  whether  a  given  specification  <p  is  closed  under  — . 

2.  An  effective  way  to  construct  an  ample  sub-state-space  for  1  with  respect  to 


3.2  Checking  Equivalence  Closedness 

Section  3.1  motivated  the  need  for  checking  whether  a  specification  <p  is  closed 
under  a  given  equivalence  relation  — .  In  [30],  an  algorithm  is  given  for  deciding 
the  closure  of  a  specification  for  a  given  class  of  equivalence  relations,  represented 
as  either  a  non-deterministic  automaton  (over  infinite  words)  or  as  linear  temporal 
logic  formula.  This  class  includes  in  particular  trace  and  stuttering  equivalence. 
It  is  characterized  by  having  a  symmetric  and  reflexive  relation  i  on  finite  strings 
such  that 


•  ~~fin  is  the  transitive  closure  of  -t  (hence  ^ In  is  an  equivalence  relation). 

•  x  E"  is  a  regular  language  (i.e..  recognizable  by  a  finite  automaton) 
over  the  alphabet  E  x  E.  Thus,  ^  is  defined  between  strings  of  equal  lengths. 

•  -/,n  is  a  left  cancellative  relation,  i.e.,  if  vu  ~~*irx  vw\  then  it’  ^in  w'. 

•  ^  is  defined  as  the  limit  extension  of  %  namely  i*  —  vf  iff 

-  for  each  finite  prefix  u  of  i\  there  exists  a  finite  prefix  u'  of  v 9  and  a  finite 
string  uu  such  that  uw  u\  and 

-  for  each  finite  prefix  uf  of  v\  there  exists  a  finite  prefix  u  of  v  and  a  finite 
string  u/  such  that  u'u'  in  u . 

The  definition  of  trace  equivalence  s  in  Section  2.2  already  uses  the  relation  ==, 
which  satisfies  the  above  conditions. 

For  stuttering  equivalence,  there  is  a  small  technical  complication  in  obtaining 

a  relation  as  it  needs  to  be  defined  between  pairs  of  strings  of  equal  length.  We 
achieve  this  by  extending  the  alphabet  into  Eu{$},  where  $  serves  only  to  force 

the  strings  to  have  the  same  length.  Then,  i  can  relate  u  with  itself,  and  uav$ 
with  uaav,  where  u,  t;  €  E*  and  a  £  E. 

Checking  that  an  ^-regular  language  L,  represented  by  a  Biichi  automaton  Al, 
is  closed  under  an  equivalence  relation  ^  that  satisfies  the  above  conditions  can 
be  done  using  the  following  algorithm,  introduced  in  [30].  The  algorithm  checks 
the  emptiness  of  the  intersection  of  the  following  three  languages  over  the  alphabet 
E  x  E  ((EU  {$})  x  (E  U  {$})  for  stuttering  equivalence,  respectively).  Hence,  each 
infinite  word  w  =  (u^i,  u;2)  over  this  alphabet  has  a  left  component  and  a  right 
component  w 2.  The  three  languages  are: 

1.  The  language  where  the  left  component  wi  of  the  input  is  in  L  (after  removing 
the  $  symbols,  respectively). 

2.  The  language  where  the  right  component  w 2  of  the  input  is  not  in  L  (after 
removing  the  $  symbols,  respectively). 

3.  An  automaton  that  checks  that  the  input  can  be  decomposed  into  infinitely 
many  factors  that  are  all  elements  of 

The  naive  way  to  implement  the  algorithm  by  constructing  the  automata  for 
the  three  languages  and  then  intersecting  them  can  take  space  exponentially  bigger 
than  Al-  However,  the  algorithm  can  be  implemented  in  PSPACE  [30].  The  idea 
is  that  there  is  no  need  to  fully  construct  the  automaton  for  the  complement  of  the 
language  L;  instead,  one  can  use  a  binary  search  through  the  state-space  of  such  a 
complement  automaton  [35]. 

When  the  specification  L  is  given  as  a  temporal  formula  it  is  not  necessary 
to  translate  first  the  formula  into  a  Biichi  automaton.  Such  a  translation  requires 
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again  in  the  worse  case  space  exponential  in  the  size  of  the  formula.  It  is  again 
possible  to  conduct  a  binary  search  through  the  state-space  of  the  corresponding 
automata,  for  and  for  -y L •  This  requires  space  only  polynomial  in  the  size  of 
the  checked  formula.  For  the  stuttering  and  trace  equivalences,  checking  closeness  is 
in  PSPACE-complete,  by  a  reduction  from  universality  of  w-regular  automata  [30]. 


4  Partial  Order  Reduction  for  Linear  Specifica¬ 
tions 

Partial  order  reduction  methods  is  a  generic  name  for  a  family  of  model-checking 
methods  that  avoid  constructing  the  full  state-space  of  the  checked  program.  The 
family  of  methods  are  historically  related  to  partial  orders  because  of  the  connection 
between  traces  and  partial  order  semantics  [24].  The  basic  ideas  of  the  reduction  is 
to  generate  at  least  one  transitions  sequence  for  each  such  trace.  However,  as  will 
be  seen  later,  this  is  not  always  the  case,  i.e.,  there  are  cases  where  there  is  a  single 
sequence  that  represents  a  collection  of  traces. 

4-1  The  Ample-Sets  Reduction  Method 

Partial  order  reduction  is  based  upon  modifying  the  depth  first  search  (DFS)  con¬ 
struction  of  a  state-space,  depicted  in  Figure  1.  (Alternatively,  one  can  use  other 
search  methods,  e.g.,  breadth  first  search  [4].)  The  DFS  creates  a  node  for  a  global 
state  (starting  with  the  initial  state  t),  pushes  this  node  into  its  stack,  then  recur¬ 
sively  creates  nodes  for  all  the  successors  of  this  node,  and  pops  the  node  from  the 
stack  after  all  their  successors  were  created.  When  a  new  node  is  generated,  the 
value  is  hashed  using  a  hashing  table  (using  the  procedure  create.node  at  lines  9). 
Checking  if  a  node  is  new  is  facilitated  by  checking  if  it  already  exists  in  the  hashing 
table  (using  the  function  new  at  line  8).  A  node  that  is  already  discovered  during 
the  search  is  said  to  be  'open’  if  it  is  on  the  stack  (line  2)  and  ‘closed’  once  it  is 
removed  from  the  stack  (line  13).  Although  the  information  about  whether  a  node 
is  open  or  closed  is  not  used  here,  it  will  be  used  in  the  sequel  for  detecting  cycles. 
Recall  that  a  cycle  is  detected  exactly  when  an  edge  is  created  (at  line  11)  pointing 
to  a  node  that  is  open  (hence  not  new). 

The  partial  order  reduction  algorithm  modifies  the  DFS  by  expanding  only  a 
subset  of  the  enabled  transitions  from  each  state: 

3  working_set(s):=ample(  s  ); 

where  ample(s)  C  enabled(s ).  If  ample(s)  =  enabled(s),  we  say  that  s  is  fully 
expanded . 

The  modified  DFS  obviously  generates  a  sub-state-space.  The  problem  is  how 
to  select  these  ample  sets  of  successors  such  that  the  sub-state-space  will  be  ample 
with  respect  to  a  given  effective  equivalence  relation. 

The  ample  sets  method  provides  a  set  of  constraints  for  selecting  the  successors 
of  a  state.  The  set  of  constraints  depends  on  the  effective  equivalence  relation  used. 
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1  proc  DFS($); 

2  push  s;  /*  5  is  becoming  open  */ 

3  working_set(s)  =enabled(s); 

4  while  working_set(s)^  <j>  do 

5  let  a  €working_set(s); 

6  working.set(s)  =wor  king  jset(s)\  {a } ; 

7  t:=a(s); 

8  if  new(t)  then 

9  create.node(t); 

10  DFS(t)  fi; 

11  create.edge(s,  a ,  t); 

12  end  while; 

13  pop  s;  /*  s  is  becoming  closed  */ 

14  end  DFS. 


Figure  1;  Using  DFS  to  construct  the  state-space  graph  of  a  program 

This  in  turn  can  depend  on  the  specification  to  be  checked  and  whether  a  fairness 
constraint  is  assumed. 

In  order  to  present  such  a  set  of  constraints,  define  a  visible  transition  [33]  to 
be  a  transition  a  €  T  that  can  change  the  propositional  interpretation  of  a  state: 

Definition  4.1  Given  a  system  (I,  P,  M)  where  T  =  (5,  T,  t).  a  transition  a  6  T 
is  visible  if  there  are  two  states  $}  t  €  S  such  that  M(s)  gk  M(t)  and  t  =  a(s). 

We  will  consider  the  following  constraints: 

CO  [Non-emptiness  condition]  ample(s)  is  empty  iff  enabled(s)  is  empty. 

Cl  [Faithful  decomposition  [19,  32,  28,  11]]  For  every  path  of  SP(X),  starting  from 
the  state  s ,  a  transition  that  is  dependent  on  some  transition  in  ample(s) 
cannot  appear  before  a  transition  from  ample(s). 

C2  [Cycle  closing  condition  [28]]  If  s  is  not  fully  expanded  then  for  no  transition 
a  €  ample(s)  it  holds  that  a(s)  is  on  the  search  stack  (i.e.,  is  open). 

C3  [Non-visibility  condition  [29]]  If  5  is  not  fully  expanded  then  none  of  the  tran¬ 
sitions  in  it  is  visible. 

Condition  C2  can  be  weaken  to  require  that  for  every  cycle  in  the  reduced  state 
space  there  is  at  least  one  fully  expanded  node.  An  algorithm  for  checking  this 
weaker  condition  was  suggested  in  [32], 

We  have  the  following  resuits  concerning  sub-st at es-space  constructed  using 
ample  sets: 
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Theorem  4.2  ([28])  The  sub*state-space  constructed  using  conditions  C0-C2  is 
ample  with  respect  to  trace  equivalence  under  F-faimess. 


Hence,  if  the  specification  is  given  as  a  language  that  is  closed  under  trace  equiv¬ 
alence,  and  F-fairness  is  assumed,  one  can  use  a  sub-state-space  that  is  constructed 
while  conditions  C0-C2  are  satisfied  at  each  one  of  its  state.  Several  temporal  log¬ 
ics  were  devised  for  expressing  properties  that  are  closed  under  trace  equivalence, 
e  g.,  the  logics  TrPTL  [36]  and  TLC  [I].  Alternatively,  one  can  use  the  decision 
procedure  of  [30].  presented  in  Section  3.2,  to  check  whether  a  given  LTL  or  Biichi 
automaton  specification  is  closed  under  trace  equivalence. 

If  the  specification  is  not  closed  under  trace  equivalence,  one  can  keep  adding 
new  dependencies,  until  it  becomes  closed.  Of  course,  adding  dependencies  can 
ultimately  completely  prohibit  the  reduction,  e.g.,  when  all  transitions  are  made 
interdependent. 

There  is  a  subtle  point  to  notice  about  adding  dependencies:  the  definition  of  F- 
fairness  is  sensitive  to  the  dependency  relation  used.  By  adding  more  dependencies, 
more  sequences  would  become  F-fair.  Hence,  at  worst,  representatives  for  sequences 
that  were  not  originally  fair  are  generated.  Since  the  model-checking  algorithm 
applied  to  the  reduced  state-space  will  ignore  unfair  (defined  w.r.t.  the  original 
dependence  relation)  sequences,  correctness  is  preserved. 

To  understand  why  Theorem  4.2  holds,  observe  the  following  Lemmas,  assuming 
the  sub-state-space  are  constructed  under  conditions  C0-C2: 

Lemma  4.3  ([29])  Let  s  be  a  state  in  a  sub-state-space  S  =  (V\  E ')  of  an  in~ 
terpreted  system  I.  Let  v  be  a  sequence  of  transitions  labeling  a  path  of  SP(1), 
staring  at  s.  Then  there  exists  a  transition  a  £  ample(s)  such  that  v  =  aw,  for 
some  w  E  T" . 

Proof.  According  to  Cl,  only  transitions  that  are  independent  of  those  in  ample(s) 
can  appear  in  v  before  some  transition  of  ample(s)  appears.  The  fairness  F  requires 
that  transitions  dependent  of  those  enabled  in  s,  in  particular  those  in  ample(s), 
eventually  appear.  (Notice  that  the  dependency  relation  D  is  always  reflexive.) 
Combining  the  two,  v  must  contain  a  transition  a  6  ample(s)  that  appears  after 
transitions  independent  of  it.  Thus,  a  can  be  commuted  to  the  beginning.  ■ 

We  aim  at  simulating  each  fair  path  of  T  by  a  fair  path  of  the  reduced  sub-state- 
space  S.  The  basic  simulation  step  is  based  on  the  following: 

Lemma  4.4  ([29])  Let  s  and  v  be  as  in  Lemma  4.3.  Let  a  be  the  first  transi- 
tion  of  v.  Then ,  the  reduced  sub-state-space  S  contains  a  finite  path  labeled  with 
bib?  . .  bna}  such  that  each  6*  is  independent  of  a,  and  06162  •  ♦  bnw  2  t;  for  some 
weT w. 

Proof.  The  proof  is  by  induction  on  the  order  in  which  nodes  are  removed  from  the 
stack  (at  line  13  in  Figure  1),  i.e.,  are  closed.  There  are  two  cases.  In  the  first  case, 
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a  €  ample(s).  hence  the  corresponding  path  has  length  of  one.  In  the  second  case, 
a  £  ample(s).  Hence,  according  to  Lemma  4.3,  there  is  a  transition  60  €  ample(s) 
that  is  independent  of  a  and  appears  in  v  after  a  sequence  of  transitions  that  are 
independent  of  fr0.  We  can  look  now  at  the  state  s'  =  bQ(s).  Since  a  £  ample(s), 
we  know  from  Condition  C2  that  the  transition  60  could  not  close  a  cycle.  Hence, 
s'  is  created  after  s  and  thus  according  to  the  DFS  order,  will  be  removed  from 
the  stack  before  s.  Therefore,  we  can  assume  the  induction  hypothesis  from  s',  i.e., 
there  exists  a  sequence  6^3  . .  .6na  from  s'  such  that  each  6;  is  independent  of  a. 
The  required  sequence  is  then  606163  . ,  .  6na.  | 

Lemma  4.4  can  be  used  to  show  that  for  each  sequence  v  o(  1  there  exists 
a  sequence  w  such  that  w  =  v  in  5,  proving  Theorem  4.2.  The  proof  in  [29] 
constructs  the  path  it;:  each  transition  a*,  taken  in  its  turn  from  v  =  ao^an  . . ., 
either  (a)  appears  in  w  after  some  ‘deficit’  sequence  of  independent  transitions 
6163 . . .6n,  according  to  Lemma  4.4,  or  (b)  has  already  appeared  as  part  of  the  so 
far  accumulated  deficit. 

Unfortunately,  when  the  fairness  condition  F  (or  any  stronger  fairness  condition) 
is  not  assumed,  Lemma  4.3  does  not  hold.  Hence,  also  Lemma 4.4  and  Theorem  4.2 
do  not  hold.  To  see  this,  assume  there  is  a  transition  a  which  is  enabled  at  a  state 
s,  and  independently,  a  loop  starts  at  $,  consisting  of  the  transitions  6  and  c, 
which  are  independent  of  a.  Thus,  enabled(s)  =  {a,  6}.  Then,  without  assuming  F- 
fairness,  the  transitions  sequence  v  =  (6c)*.  starting  at  state  s  is  allowed.  Choosing 
ample(s)  s  {a}  satisfies  the  conditions  C0-C2,  hence  no  sequence  equivalent  to  v 
starts  from  $  in  the  constructed  sub-state-space. 

To  recover  the  situation,  observe  that  although  the  sequence  w  =  a(6c)w  is  not 
trace-equivalent  to  v,  a  appears  before  a  sequence  of  independent  transitions.  If  a 
is  invisible,  then  no  stuttering-closed  specification  can  distinguish  between  v  and 
w .  We  have  the  following: 

Theorem  4.5  ([29])  The  sub-state-space  constructed  using  conditions  C0-C3  is 
ample  with  respect  to  stuttering  equivalence. 


5  Reduction  for  Branching  TL  and  Process  Alge¬ 
bras 

Preserving  properties  based  on  branching  semantics,  where  execution  sequences 
are  embedded  in  a  tree  requires  an  additional  constraint.  The  reason  is  that  with 
branching  properties  one  can  observe  the  points  where  execution  sequences  depart 
from  each  other. 

The  lefthand  structure  of  Figure  2  contains  an  example  of  a  full  state  space 
M  for  a  system  with  a  set  of  transitions  T  =  {a,  b,  c,  d,  e}  such  that  D  -  T  x 
T\  {(a,  b),  (6,  a),  (a,  c),  (c,  a)}.  This  structure  does  not  satisfy  the  CTL  formula 
9  —  AG((pA->g)  —  (AFg  V  AF-ig)).  The  reduced  state  space  M!  on  the  lefthand  of 
Figure  2  obtained  by  preserving  conditions  C0-C3,  satisfies  v? 
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Figure  2:  Example  where  C0-C3  do  not  suffice  to  preserve  CTL. 


To  recover  the  correctness  of  the  reduction  for  the  branching  case,  we  impose 
the  following  constraint: 

C4  [Singleton  condition  [6]]  Either  s  is  fully  expanded,  or  ample(s)  contains  exactly 
one  transition. 

5.1  Behavioral  Equivalences 

We  consider  here  several  notions  of  behavioral  equivalences  that  are  preserved  under 
our  partial  order  reduction.  Some  connections  between  behavioral  equivalences  and 
logics  allow  adopting  the  reduction  for  various  logical  formalisms. 

Definition  5.1  ([3])  A  relation  V  x  V1  is  a  stuttering  simulation  between 

the  states  of  two  structures  M  =  (V,  E,  i,  M)  and  M'  =  (V",  Ef ,  t',  A/')  if  the 
following  conditions  hold: 

1-  t  t', 

2.  if  s  s',  then  M(s)  =  A/'(s')  and  for  every  maximal  path  it  of  M  that 
starts  at  s,  there  is  a  maximal  path  ic*  in  M '  that  starts  at  s',  a  partition 
B\f  B*i  . . .  of  ic,  and  a  partition  B\ ,  S' 2 ...  0/  tt7  such  that  for  each  j  >  0, 
Bj  and  B* ;  art  nonempty  and  finite ,  and  every  sfafe  in  Bj  is  related  by 
to  every  state  in  B* j. 

,4  relation  is  a  stuttering  bisimulation  if  both  S,*  and  ( the  transpose  of 

= j* )  are  stuttering  simulations. 
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The  following  theorem  connects  CTL*  (as  defined  without  the  nexttime  opera¬ 
tor)  and  stuttering  bisimulation: 

Theorem  5.2  (see  [3])  Let  p  be  a  CTL  formula  with  the  set  of  atomic  propose 
tions  P.  Let  M  and  \ f  be  two  structures .  where  the  range  of  the  labeling  function 
\t i  <*n<l  A/*  ts  the  subsets  of  atomic  propositions  P.  Let  the  relation  5,4  be  a 
stuttering  bisimulation  between  the  states  of  and  Ad'.  Then  for  every  pair  of 
stuttering  btsimilar  states  s  *sb  s'  it  holds  that  M.s  (=  p  iff  M' ,  s'  p. 

Definition  5.3  (Branching  bisimulation  [8,  26])  A  relation  *hb  C  V  x  V  is 
a  branching  simulation  between  the  states  of  two  structures  M  =  (V.  E,  i,  \f')  and 
0\4'  =  (V',  £*',  i\  A/')  i if  it  satisfies  the  following  conditions: 

1.  l  ^44  if  and 

2.  if  s  —44  s  and  s  —  t,  then  cither  b  =  r  and  t  =*44  s',  or  there  extsts  a  path 

5  =  s0  —  •*  . . .  — «•  sn  —  t'  in  sucA  fAaf  s  ^44  $,*  /or  0  <  i  <  n. 

and  f  —44  f;. 

.4  relation  ^44  is  a  branching  bisimulation  if  both  ^44  and  *z[b  are  branching  sim¬ 
ulations. 

Let  M  =  (V,  £\  t ,  A/)  be  a  structure.  Denote  s  =^>  s'  if  there  exists  path 

s  =  so  — *  s  1  -  . . .  — »  s,  — *  $i+i  — *  . . .  sn  =  s'.  When  a  is  r,  the  path 

can  be  empty,  whence  s  equals  s'. 

Definition  5.4  A  relation  C  K  x  V''  is  a  weak  simulation  [25]  between  struc¬ 
tures  M  =  (K,  £\  A/)  and  Ad'  =  {Vft  E ',  t',  A/')  1/  it  satisfies  the  following 

conditions: 

1.  t  9Swb  i'  and 

2.  1/  s  s'  and  s  -i-  f,  then  there  exists  t'  such  that  s'  t'  in  M'  such 
that  t*wit'. 

A  relation  2**  is  a  weak  bisimulation  if  both  2£wi  and  are  weak  simulations. 

Notice  that  the  interpretation  functions  M  and  M'  are  irrelevant  and  hence  can 
be  omitted  in  both  branching  and  weak  bisimulation.  We  define  now  a  behavioral 
equivalence  that  includes  conditions  ou  both  states  and  edges.  To  tie  together  stut¬ 
tering  bisimulation,  which  observes  states  but  ignores  transitions,  and  branching 
bisimulation,  which  observes  transitions  and  ignores  states  we  define  the  following 
stronger  equivalence  relation: 


Definition  5.5  A  relation  —vsC  V  x  V"  is  a  visible  simulation  between  the  states 
of  two  structures  M  =  (K,  E,  i,  M)  and  M‘  -  ( V E',  t ',  .V/')  if  i  i',  and 
when  s  =„»  s',  the  following  conditions  hold: 
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Visible  bisimulation  2f, 


Stuttering  bisimulation  2^4 

[3] 

CTL,  CTL* 

(without  nexttime) 


Branching  bisimulation 

(8.  26] 

Weak  bisimulation 

,[14] 

Hennessy  Milner  Logic  HML 
(with  r  transitions) 


Figure  3:  Connections  between  equivalences  and  logics 


1.  A f(s)  =  M'(s'). 

2.  If  s  — ^  /  €  E,  either  b  is  invisible  and  t  s' ,  or  there  exists  a  path 

s'  =  so  *  $i  *  sn  t '  in  M'  such  that  s  3*^  Sj  for  0  <  i  <  n, 

a,  is  invisible  for  0  <  i  <  n  and  t  2^*  t* . 

3.  If  there  is  an  infinite  path  $  =  t0  ti  . . .,  where  bi  is  invisible  and 

ti  s'  for  i  >  0,  then  there  exists  a  path  s'  =  ro  ri  r;  — ^ 

r;  +  l,  with  j  >  0,  such  that  s  2^*  rt*  and  ct  is  ini;isi6/e  /or  0  <  i  <  j,  and 
1 1  -t>&  »V+i* 

/t  relation  is  a  visible  bisimulation  if  both  and  are  vi$tbl€  simulations. 

It  is  simple  to  show  that  visible  bisimulation  is  stronger  than  stuttering  bisim¬ 
ulation.  Hence  from  Theorem  5.2  we  conclude  that  it  preserves  CTL*  properties 
(without  nexttime).  When  all  invisible  transitions  are  labeled  as  r,  visible  bisimu¬ 
lation  is  stronger  than  branching  bisimulation,  which  in  turn  is  stronger  than  weak 
bisimulation.  This  interaction  between  behavioral  equivalences  and  logics  is  de¬ 
picted  in  Figure  3.  In  the  Section  5.2  we  show  that  our  reduction  (with  conditions 
C0-C4)  preserves  visible  bisimulation.  By  the  connection  between  weak  bisim¬ 
ulation  and  Hennessy-Milner  logic  (HML)  with  r  transitions  [14],  the  reduction 
preserves  specification  expressed  in  HML. 

The  paper  [34]  in  this  volume  relaxes  the  requirement  that  the  transitions  are 
deterministic.  It  also  studies  various  other  equivalence  relations  related  to  Hoare’s 
CSP  [15]. 
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5.2  Correctness  of  the  Algorithm 

Let  M  =  (V,  E.  i,  M)  be  the  full  state  space  of  an  interpreted  system  J.  In 
order  to  obtain  a  visible  bisimulation  between  the  full  state  space  and  a  reduced 
sub-state-space,  define  the  following  relation: 

Definition  5.6  Define  the  relation  V'  x  V  such  that  s  -  s'  iff  there  exists  a 

path  s  =  so  — si  — ^  •••  — •  $n  =  s'  such  that  s,  is  invisible  and  {a,}  satisfies 
condition  Cl  from  state  $i  for  0  <  i  <  n  —  1. 

Such  a  path  will  be  called  &  forming  path.  The  length  of  a  shortest  forming  path 
between  s  and  s'  will  be  called  the  distance  between  $  and  s' .  It  is  easy  to  see  that 
the  relation  —  is  transitive  and  reflexive  (but  not  necessarily  symmetric). 

Let  M'  =  {V\  E' ,  i' ,  A/')  be  a  sub-state-space  generated  for  T  by  our  partial 
order  reduction  algorithm. 

Definition  5.7  Let  n(K  x  V'). 

Notice  that  by  definition,  ssC— .  Our  goal  is  to  show  that  %  is  a  visible  bisimu¬ 
lation.  We  will  use  a  number  of  simple  lemmas: 

Lemma  5.8  Let  $  — *■  t  be  an  edge  of  E  such  that  {a}  satisfies  Condition  Cl 

from  the  state  s.  Let  s  — ^  r  be  another  edge  of  E,  with  a  ^  b.  Then  {a}  satisfies 
Condition  Cl  from  r. 

The  following  can  be  proved  by  a  simple  induction: 

Lemma  5.9  Let  s  =  $o  — ^  s\  . . .  -^—1  sn  —  s'  be  a  forming  path,  and 
s  — *  t  £  E.  Then  there  are  exactly  two  possibilities  ( see  Figure  f): 

1.  b  is  independent  of  a,  for  0  <  i  <  n.  There  exists  a  forming  path  t  =  t0  — 
^  ■  tn,  with  Si  — ^  t,  /or  0  <  /  <  n. 

2-  TAere  crises  j  <  n  sucA  tAat  6  is  independent  o/a,  /or  0  <  i  <  j,  and  b  =  a;  . 

TAere  exists  a  forming  path  t  =  to  fi  tj,  with  $i  t,*  /or 

0  <  i  <  j.  In  this  case,  there  is  a  forming  path  of  length  n  —  1  from  t  to  s' . 


Corollary  5.10  Let  s  ^  s'  and  s  t  £  E.  Then  there  exists  an  edge  s'  — ^  t'  € 
E  such  that  t  —  t'  in  eacA  one  of  the  following  cases: 

1.  b  does  not  appear  on  some  forming  path  from  $  to  s'  (in  particular ,  when  b  is 
visible ),  or 
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S  —  Sq  S  \ 


Sn-1  sn  —  s  &  —  *0 


a  l  a  j  -  i 


b  =  dj 

rtj+l  an-^On_l 


t  =  t0  t  X 

b  indep.  of  a,,  0  <  i  <  n 


^n-1  In  ^  —  ^0  tj  — $/  +  l  5n-l  Sn— -S 

b  indep.  of  al%  0  <  i  <  j  <  n,  6  =  a; 


Figure  4:  Two  cases  of  Lemma  5  9 


2.  t  +  99. 

The  reduction  algorithm  with  conditions  C0-C4  guarantees  the  following: 

Lemma  5.11  Lei  $  be  a  state  tn  the  reduced  sub-state-space  M'  ■  Then  there  ts  a 
forming  path  in  M*  from  s  to  some  fully  expanded  node  s'. 

Theorem  5.12  (See  [6])  The  relation  ^  is  a  visible  bisimulation. 

Proof.  First,  observe  that  i  =  if  and  i  E  V' .  Hence  i  ss  i' .  Let  s  %  s'.  Thus,  s  s'. 
Condition  1  of  Definition  5.5  is  satisfied  since  according  to  Definition  5.6,  there  is  a 
path  of  invisible  transitions  from  s  to  s'.  Hence,  by  Definition  4.1,  M(s)  =  M(s'). 

We  show  that  condition  2  of  Definition  5.5  holds.  Let  s  t  E  E .  We  argue 
by  cases: 

Case  1.  t  s'  and  b  is  invisible.  Immediate  from  the  definition. 

Case  2.  t  jL  s'  or  b  is  visible.  According  to  Corollary  5. 10,  in  both  cases  there  is 
an  edge  s'  t'  in  M  such  that  t  —  t'.  Notice  that  by  the  definition  of  ss, 
s'  E  V\  but  it  is  not  necessary  the  case  that  t'  €  V' .  By  Lemma  5.11,  there 
is  a  forming  path  in  M'  from  s'  to  some  fully  expanded  node  s" .  Hence, 
s  s'  —  $" ,  which  implies  by  transitivity  of  ^  that  s  ~  $" .  Since  $"  E  V\ 
also  $  «  $".  Again  there  are  two  cases  (see  Figure  5): 

Case  2.1.  tf  $"  and  b  is  invisible.  Then,  t  t'  **  s" ,  hence  t  s"  and  also 
t  %  s". 

Case  2.2.  t 9  ^  s"  or  b  is  visible.  Then,  according  to  Corollary  5.10,  there  is 
an  edge  $"  — t",  with  t'  t" .  Thus,  t  ~  t'  ~~  t" ,  hence  t  **  t" .  Since 
s"  is  fully  expanded,  t"  E  V't  thus  t  zs  t". 

Conversely,  let  s'  t'  E  E' .  Since  s  -  s',  there  is  a  forming  path  s  =  s0 
S{  —  . . .  5n  =  s'.  To  satisfy  Condition  2  of  Definition  5.5,  we  need  only  to 

extend  this  path  with  the  transition  $n  t'. 


vil 


17 


Figure  5:  Cases  2.1  and  2.2  of  Theorem  5.12 


For  proving  Condition  3  of  Definition  5.5,  let  s  =  <0  —  <i  —  . . .  be  an  infinite 
path,  with  6,  invisible  and  t,  v  s'  for  i  >  0.  By  Lemma  5.11.  there  is  a  forming 
path  from  s'  to  s".  with  s"  fully  expanded.  Thus.  <<  ss  s"  for  i  >  0. 

We  will  show  that  there  exists  some  ;'  >  0  such  that  bj  does  not  occur  on 
some  forming  path  from  tj  to  s" .  The  proof  will  construct  a  sequence  of  forming 
paths  /,•  from  <,•  to  s" .  for  0  <  i  <  j.  with  /o  a  path  from  s  to  s"  via  s' .  Observe 
that  by  Lemma  5.9.  if  6,-  appears  on  /,-.  then  we  can  construct  a  path  /i+i  that 
is  shorter  than  Since  there  are  infinitely  many  nodes  ,  and  l0  has  a  finite 
length,  this  construction  must  terminate  with  some  j  as  above.  Now,  according  to 

Corollary  5.10,  there  is  an  edge  s"  —  t'  e  E  such  that  <>+1  ~  t'.  Since  s"  is  fully- 

expanded,  also  t;-+i  ss  t'.  Appending  the  edge  s"  —  t'  to  the  forming  path  from 
s'  to  s",  results  in  a  path  that  satisfies  Condition  3. 

The  other  direction  of  Condition  3  is  similar  to  the  other  direction  of  Condition  2 
above.  B 


6  Implementation  Issues 

Finding  ample  sets  that  satisfy  condition  Cl  is  based  on  analyzing  the  current 
global  state.  We  will  discuss  two  types  of  concurrent  systems,  with  matching  algo¬ 
rithms.  In  both  cases,  we  assume  that  each  system  consists  of  a  set  of  processes, 
with  each  process  containing  a  (not  necessarily  disjoint)  set  of  transitions.  Each 
process  has  a  set  of  local  variables  that  can  be  changed  only  by  transitions  that  be¬ 
long  to  the  process.  Transitions  whose  effect  is  only  to  change  the  process  variables 
are  called  local  transitions.  The  local  state  of  each  process  includes  the  values  of 
its  local  variables.  Each  (global)  system  state  is  a  combination  of  the  local  states 
of  all  the  processes. 


Synchronous  Communication 

Synchronous  communication  systems  incorporate  CSP  or  ADA-like  communication. 
Communication  is  done  cooperatively  at  the  same  time  by  the  sender  and  the 
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receiver.  Sending  and  receiving  can  thus  be  considered  a  single  transition,  shared 
by  two  processes.  Hence,  the  communication  transition  belongs  to  both  the  sending 
and  the  receiving  process.  We  say  that  a  communication  transition  a  between  a 
pair  of  processes  P,  and  P;  is  locally  enabled  by  a  process  P,  at  state  s  if  it  can 
be  executed  at  the  current  state  s,  or  any  state  s'  such  that  the  local  states  of 
Pi  in  s  and  s'  are  the  same.  This  means  that  P,  is  willing  to  do  his  part  in  the 
communication  transition  a.  We  assume  that  such  a  system  includes  only  local  and 
synchronous  communication  transitions. 

The  dependency  relation  for  synchronous  communication  systems  relates  transi¬ 
tions  that  belong  to  the  same  process.  Hence,  two  transitions  are  interdependent  iff 
they  belong  to  the  same  process.  Notice  that  a  communication  transition  belongs 
to  and  hence  is  dependent  on  transitions  of  two  processes.  Choosing  a  subset  of 
the  enabled  transitions  that  satisfy  condition  C3  can  be  done  as  follows: 

Choose  all  the  transitions  enabled  in  the  current  state  $  that  belong 
to  a  subset  V  of  the  processes,  such  that  there  is  no  communication 
transition  between  a  process  P,  in  P  and  a  process  outside  P  that  is 
locally  enabled  by  Pt  . 

The  above  rule  prevents  the  case  where,  by  executing  transitions  outside  the 
selected  ample  set,  a  communication  that  is  dependent  on  transitions  in  the  set  will 
become  (globally)  enabled  and  will  execute  before  any  transition  in  the  ample  set, 
contradicting  Cl.  Such  a  set  of  transitions  can  be  found  by  choosing  initially  the 
currently  enabled  transitions  that  belong  to  a  single  process.  If  the  above  rule  does 
not  hold,  repeat  adding  transitions  of  additional  processes,  until  the  rule  holds. 


Asynchronous  Communication 

In  this  communication  model,  we  have  separate  sends  and  receives.  In  addition  to 
the  local  variables  of  each  process,  pairs  of  processes  that  can  communicate  with 
each  other  share  fifo  queues,  through  which  the  communication  is  handled.  The 
sender  does  not  have  to  wait  for  the  receiver,  unless  the  message  queue  it  uses  is 
full.  Similarly,  the  receiver  does  not  have  to  wait  for  the  sender  unless  there  is  no 
message  in  its  input  queue.  Send  and  receive  transitions  are  matching  if  they  share 
the  same  communication  queue.  We  will  assume  that  for  each  queue  there  is  only 
a  single  (different)  process  that  can  send,  and  a  single  process  that  can  receive. 

It  is  evident  that  matching  sends  and  receives  do  not  satisfy  the  conditions  on 
the  dependency  relation  from  Section  2.2.  However,  one  can  weaken  condition  Dl, 
allowing  transitions  a  and  b  to  be  independent  when  executing  one  cannot  disable 
the  other  (but  can  enabled  the  other,  as  oppose  to  condition  Dl).  Notice  that  in 
this  case,  it  is  no  longer  true  that  when  v  =  w  and  v  is  a  transitions  sequence  of  a 
system  2,  then  w  is  also  a  transitions  sequence  of  I. 

Choosing  a  subset  of  the  enabled  transitions  at  s  that  satisfy  condition  C3  can 
be  done  as  follows: 

Choose  all  the  transitions  enabled  in  the  current  state  that  belong  to  a 
subset  P  of  the  processes,  such  that 
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•  there  is  no  send  transition  of  a  process  Vi  in  V  that  could  send  a 
message  to  a  process  outside  V  if  its  queue  was  not  full  in  s. 

•  there  is  no  receive  transition  of  a  process  Vi  in  V  that  could  receive 
a  message  from  a  process  outside  V  if  its  queue  was  not  empty  in 
s. 


Separate  Process  Analysis 

As  explained  above,  additional  knowledge  about  the  future  enabledness  of  transi¬ 
tions  allows  certifying  more  subsets  as  ample  sets.  As  an  example,  in  synchronous 
communication,  we  can  weaken  the  requirement  that  the  subset  of  processes  V  does 
not  contain  a  locally  enabled  communication  transition  a.  communicating  with  a 
processes  that  is  outside  V;  the  existence  of  such  a  transition  a  does  not  prohibits 
the  enabled  transitions  of  V  from  being  an  ample  set  if  the  process  Vj  can  not  par¬ 
ticipate  in  such  a  communication  in  every  state  that  is  reachable  from  the  current 
one.  A  similar  weakening  is  possible  for  the  asynchronous  communication  case. 

The  future  disabledness  of  a  transition  from  a  given  state  is  as  hard  to  check  as 
the  model-checking  problem  itself.  Thus,  we  may  be  satisfied  with  a  solution  that 
would  not  identify  every  transition  that  can  no  longer  become  enabled  from  the 
current  state,  but  would  identify  at  least  a  subset  of  such  transitions.  This  can  be 
done  using  a  separate  process  reachability.  In  the  above  example  for  synchronous 
communication,  we  will  check  whether  process  Vj  could  have  reached  the  matching 
communication  from  its  current  local  state.  This  search  looks  at  the  process  Vj  in 
isolation.  It  assumes  all  transitions  that  are  joint  with  other  processes  to  be  locally 
enabled  by  the  other  processes.  Furthermore,  we  may  even  choose  to  ignore  data 
values,  reverting  to  static  analysis. 

Such  a  search  can  be  done  in  a  preparatory  stage,  identifying  from  each  local 
state  offending  transitions  (which  can  include  synchronous  communication  tran¬ 
sitions,  asynchronous  communication  transitions  or  use  of  global  variables)  that 
are  not  reachable.  This  information  can  be  used  then  to  improve  the  reduction  by 
identifying  more  subsets  as  ample  sets. 


On-the-fly  Reduction 

In  previous  sections,  the  model-checking  algorithm  was  explained  as  a  two-phase 
process,  where  at  the  first  phase,  the  (reduced)  state-space  is  constructed,  and  in 
the  second  phase,  a  graph-theoretic  algorithm  is  applied  to  it.  In  practice,  many 
model-checking  tools  work  in  a  slightly  different,  more  efficient,  way.  They  combine 
the  construction  of  the  state  space  with  checking  that  it  satisfies  the  specification. 
Then,  it  is  sometimes  possible  to  identify  ‘on-the-fly’  that  the  system  violates  the 
specification,  before  completing  the  construction.  We  will  describe  how  partial 
order  reduction  can  be  applied  while  doing  on-the-fly  model-checking. 

Obtaining  an  on-the-fly  model-checking  algorithm  can  be  done  by  using  a  Biichi 
automaton  A  that  corresponds  to  the  complement  of  the  specification  ^ .  Namelv, 
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A  recognizes  the  sequences  that  are  not  allowed  by  the  specification.  A  translation 
from  LTL  formulas  to  Biichi  automata  can  be  found  e  g.,  in  (37,  7j. 

A  Buchi  automaton  is  a  fivetuple  ( Q ,  i,  E,  6 ,  F),  where  Q  is  a  finite  state  of 
automaton  states ,  i  G  Q  is  the  initial  automaton  stale ,  E  is  a  finite  set  of 
values,  which  is  in  our  case  2P,  KQxExQisa  non-deterministic  fransifion 
function,  and  F  C  Q  is  the  set  of  accepting  states.  A  run  of  the  automaton  ^4 
over  an  infinite  sequence  a  G  Ew,  where  <x  =  r0rir2  ...  is  an  infinite  sequence  of 
automaton  states  qoq\  ...  such  that  for  each  i  >  0,  ( qi ,  r,,  g,+i)  G  6.  A  run  is 
accepfin^  iff  at  least  one  automaton  state  from  F  appears  on  it  infinitely  many 
times. 

Verifying  that  a  system  I  satisfies  a  specification  9  is  thus  done  by  checking 
whether  there  are  execution  sequences  of  1  that  are  accepted  by  runs  of  A.  If 
there  are  such  sequences,  they  correspond  to  counter-examples  (since  A  accept  the 
sequences  disallowed  by  the  specification).  Otherwise,  I  satisfies 

To  carry  out  the  above  task,  we  can  generate  the  product  automaton  1  x  A: 
the  states  of  the  product  are  pairs  from  SxQ.  We  will  refer  to  such  pairs  simply 
as  states.  The  transitions  are  pairs  from  T  x  6.  The  accepting  states  are  fixed  by 
the  automaton  state  component,  i.e.,  are  pairs  (s,  q)  such  that  q  G  F.  The  initial 
state  is  the  pair  (t,i).  To  make  the  sequences  of  I  x  A  correspond  to  runs  of  A 

over  sequences  of  I,  w'e  make  the  following  correspondence:  (s,  q)  (s',  qf)  is  a 
transition  of  I  x  A  iff  (1)  s'  =  a($),  (2)  ( q ,  6,  qf)  G  6,  and  (3)  A/(s)  =  6.  The  last 
requirement  means  that  the  A  transition  b  agrees  with  the  labeling  of  the  outgoing 
system  state  s. 

We  can  now  construct  1x4  on-the-fly:  from  the  current  pair  (s,  q)  G  S  x  Q, 
generate  all  possible  transitions  (a,  6)  that  satisfy  (1),  (2)  and  (3)  above.  Better 
yet,  we  can  employ  the  partial  order  reduction  and  restrict  the  first  component  such 
that  a  G  ample($). 

The  only  condition  that  appears  to  be  problematic  is  the  cycle  closing  condi¬ 
tion  C2:  the  cycles  in  the  product  are  not  necessarily  the  same  as  the  ones  in  the 
reduced  state-space  for  1.  However,  in  [29]  it  is  shown  that  it  is  correct  to  use  the 
cycles  of  1  x  A. 

Using  Tarjan’s  DFS  algorithm,  we  can  find  the  maximal  strongly  connected 
components  of  I  x  A.  A  strongly  connected  component  that  is  reachable  from  the 
initial  state  and  contains  an  accepting  state  means  that  the  property  <p  does  not 
hold  for  I,  and  can  be  used  to  construct  a  counter-example. 

An  even  more  efficient  model-checking  procedure  is  obtained  by  observing  that 
an  accepting  run  exists  iff  there  is  a  cycle  through  a  reachable  accepting  state.  The 
procedure  [16,  5]  applies  an  interleaved  double  DFS  procedure:  when  the  first  DFS 
retracts  to  an  accepting  state,  the  second  DFS  starts  searching  for  a  cycle  through 
this  state.  If  the  second  DFS  fails  to  find  a  cycle,  the  first  DFS  resumes  from  the 
point  it  has  stopped.  We  can  use  the  following  bits  for  every  state  of  the  product 
that  is  put  in  the  hash  table: 

•  The  state  was  found  during  the  first  DFS. 
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•  The  state  was  found  during  the  second  DFS. 

•  The  state  is  in  the  first  DFS  stack. 

•  The  state  is  in  the  second  DFS  stack. 

Notice  that  these  bits  allow  information  about  the  two  different  (virtual)  copies 
of  the  same  state  in  the  two  searches.  Notice  further  that  there  is  no  need  to 
explicitly  store  the  edges. 

Applying  the  partial  order  reduction  to  the  improved  search  requires  a  subtle 
change  in  the  algorithm:  it  is  important  to  guarantee  that  the  second  DFS  uses 
the  states  that  were  already  found  in  the  first  DFS.  Repeating  exactly  the  same 
reduction  from  every  state  is  thus  important  to  achieve  this  goal.  However,  notice 
that  when  the  second  search  reaches  a  state  that  is  on  the  stack  of  the  first  DFS, 
it  may  continue  to  search  new  states  that  were  not  encountered  yet  during  the 
first  DFS.  Notice  also  that  once  a  state  x  that  is  on  the  stack  of  the  first  DFS  is 
reached  in  the  second  DFS,  the  search  can  terminate:  it  is  guaranteed  that  there  is 
a  path  from  x  to  the  accepting  state  from  which  the  second  DFS  has  begun,  hence 
completing  a  cycle  through  it.  Hence,  the  algorithm  in  [16.  5]  can  be  changed  as 
follows  [18]: 

Upon  reaching  during  the  second  DFS  a  state  that  is  on  the  stack  of  the 
first  DFS,  terminate  the  search.  Use  the  concatenation  of  the  states  in 
the  first  and  second  DFS  as  a  counter-example. 

This  early  termination  of  the  algorithm  can  be  applied  to  the  full  search  as  well 
and  can  result  in  shorter  counter-examples. 

Albeit  eliminating  some  incorrect  search  scenarios,  this  provision  is  not  suffi¬ 
cient  to  guarantee  that  the  second  DFS  will  follow  the  same  reduced  set  of  states  as 
the  first  one.  A  problem  may  arise  when  the  first  search  backtracks  from  a  strongly 
connected  component  that  does  not  include  an  accepting  state,  hence  the  second 
search  was  not  applied  to  this  component.  While  searching  another  component, 
which  contains  an  accepting  state,  the  second  DFS  can  propagate  now  to  the  pre¬ 
viously  abandoned  component.  This  time  it  starts  from  a  different  node  in  the 
component,  potentially  closing  cycles  in  a  different  order.  This  might  influence  the 
reduction,  causing  different  nodes  to  be  discovered  in  the  second  search. 

Thus,  additional  state  information  is  needed  in  order  to  make  sure  that  the 
second  DFS  will  generate  the  same  sets  of  successors  as  the  first  one  for  every 
generated  state  s.  This  information  reflects  how  the  closing  cycle  condition  C2  was 
resolved  during  the  first  DFS  [18].  One  possibility  is  that  it  identifies  the  processes 
whose  operations  where  selected  for  the  ample  set  from  s  during  the  first  DFS. 
Another  possibility  is  that  the  reduction  algorithm  checks  condition  C2  against 
the  first  set  that  satisfies  the  other  conditions  from  $.  If  this  set  fails  to  satisfy 
C2,  then  s  is  fully  expanded.  In  this  case,  the  information  about  the  success  or 
failure  to  find  a  subset  can  be  stored  for  the  use  of  the  second  DFS  using  a  single 
additional  bit. 
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The  SPIN  Implementation 


The  model-checking  tool  SPIN  [16]  contains  an  implementation  of  the  ample  sets 
method.  SPIN  allows  a  variety  of  communication  mechanisms,  including  syn¬ 
chronous  and  asynchronous  message  communication.  It  also  allows  global  tran¬ 
sitions,  which  change  values  of  variables  that  belong  to  all  the  processes.  Hence, 
the  rules  to  achieve  ample  sets  that  satisfy  condition  Cl  are  more  complicated. 
SPIN  includes  the  on-the-fly  partial  order  reduction  [17],  with  the  double  DFS 
described  above  [18]. 
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History  Dependent  Verification  for 
Partial  Order  Systems 

Ugo  Montanari  and  Marco  Pistore 


Abstract.  In  this  paper  we  propose  a  new  approach  to  check  bisimulation- 
based  equivalences  for  models  of  concurrency  which  take  into  account  causal 
dependencies  between  the  actions  a  system  can  perform.  The  existing  ap¬ 
proaches  are  based  on  special  definitions  of  bisimulation  and  do  not  allow  for 
reuse  of  techniques  and  tools  developed  for  ordinary  labeled  transition  sys¬ 
tems.  This  is  not  the  case  in  our  approach,  since  we  map  causal  systems  into 
ordinary  transition  systems.  As  a  consequence,  we  obtain  minimal  realiza¬ 
tions  and  Hennessy-Milner  logics  also  for  causal  systems.  We  show  how  our 
approach  applies  to  history-preserving  bisimulation  for  Petri  nets  [1]  and  to 
location  equivalence  for  CCS  [3,  4]. 


1.  Introduction 

Bisimulation  is  widely  used  to  equip  concurrent  systems  with  an  abstract  se¬ 
mantics.  A  well-established  theory  and  efficient  algorithms  have  been  developed  for 
it.  Automatic  checking  is  successful  in  practice,  since  many  interesting  systems  are 
finite  state.  One  of  the  most  used  algorithms  is  the  so-called  partition  refinement 
algorithm  [11,  18].  It  is  particularly  interesting  since  it  allows  for  minimization, 
i.e.,  it  can  be  used  to  find  the  minimal  transition  system  in  a  class  of  bisimilar  tran¬ 
sition  systems.  Minimization  is  important  both  from  a  theoretical  point  of  view  — 
equivalent  systems  give  rise  to  the  same  (up  to  isomorphism)  minimal  realization 
—  and  from  a  practical  point  of  view  —  smaller  state  spaces  can  be  obtained. 

However,  the  standard  definition  of  bisimulation  —  and  most  of  the  results 
and  algorithms  which  have  been  developed  for  it  —  can  be  applied  only  to  sys¬ 
tems  whose  operational  behavior  is  modeled  by  labeled  transition  systems.  In  this 
case  computations  are  simply  sequences  of  atomic  actions  and  hence  parallelism  of 
actions  is  reduced  to  interleaving. 

Many  attempts  have  been  made  to  overcome  the  limits  of  this  interleaving 
approach  and  to  allow  the  observer  to  discriminate  systems  via  bisimulation  also 
according  to  the  degree  of  parallelism  they  exploit  in  their  computations.  A  possible 
approach  is  to  modify  the  operational  semantics  so  that  dependencies  between 
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actions  are  taken  into  account.  Dependencies  may  be  of  different  kinds:  for  instance 
they  can  be  causal  dependencies  (each  action  refers  to  the  actions  in  the  past 
it  depends  on)  or  localities  dependencies  (the  dependencies  are  used  to  describe 
sublocation  relations:  each  action  depends  on  the  actions  in  the  past  that  generated 
the  location  in  which  the  action  occurs). 

Bisimulation-based  abstract  semantics  can  then  be  used  on  the  richer  opera¬ 
tional  semantics.  In  these  cases,  however,  particular  definitions  of  bisimulation  have 
to  be  exploited,  since  they  have  to  deal  with  dependencies,  and  they  do  not  allow 
for  a  full  reusage  of  the  existing  theories  and  algorithms  for  standard  bisimulation. 
Moreover,  since  the  past  history  of  the  system  has  to  be  remembered  to  define 
dependencies,  the  operational  models  are  usually  finite  only  when  the  system  can¬ 
not  perform  infinite  computations.  Special  techniques  must  be  studied  to  obtain 
decidability  also  for  some  systems  with  infinite  behaviors. 

In  this  paper  we  describe  a  possible  solution  to  these  problems  which  has  been 
proposed  in  [15,  13].  We  first  define  causal  automata  as  a  general  model  for  dealing 
with  dependencies  between  actions.  In  this  model  the  dependencies  are  represented 
by  means  of  names:  each  transition  generates  a  new  name  which  is  then  referenced 
in  the  labels  of  the  transitions  which  depend  from  it.  The  names  which  are  relevant 
for  a  state  of  the  system  are  also  explicitly  remembered  in  the  corresponding  state 
of  the  causal  automaton. 

When  a  system  is  mapped  on  causal  automata,  it  is  important  to  discard  part 
of  the  past  events  and  to  remember  just  those  events  that  can  (but  not  necessarily 
will)  be  referenced  in  the  future  behavior.  This  pruning  of  the  past  history  allows 
for  reusing  the  same  state  of  the  causal  automaton  to  represent  different  stages  of 
a  computation.  Moreover,  by  considering  as  inessential  the  syntactical  identity  of 
the  names,  it  is  possible  to  identify  states  whose  future  behaviors  differ  just  for  a 
renaming.  This  allows  us  to  represent  classes  of  systems  with  infinite  behavior  with 
finite-state  —  and  possibly  very  compact  —  causal  automata. 

To  show  that  causal  automata  are  a  good  model  for  dependencies,  we  give  a  hint 
of  how  it  is  possible  to  translate  two  classical  non-interleaving  models  of  concurrency 
—  Petri  nets  with  process-based  semantics  [9,  1]  and  CCS  with  localities  [3,  4]  — 
into  causal  automata. 

We  also  equip  causal  automata  with  a  notion  of  bisimulation.  This  bisimulation 
equivalence  correctly  deals  with  dependencies.  In  fact,  two  systems  described  in 
one  of  the  two  formalisms  above  are  equivalent  if  and  only  if  the  corresponding 
causal  automata  are  equivalent  according  to  the  proposed  bisimulation. 

Finally  we  show  how,  starting  from  causal  automata,  it  is  possible  to  build 
ordinary  transition  systems  and  to  reuse  ordinary  bisimulation  on  them  to  decide 
bisimulation  on  causal  automata.  To  obtain  this,  a  notion  of  active  names  is  ex¬ 
ploited,  where  a  name  is  active  for  a  state  if  it  appears  in  the  label  of  a  transition 
reachable  from  the  state.  Non-active  names  can  be  discarded,  thus  allowing  for  a 
static  correspondence  of  names  between  bisimilar  states. 

This  translation  into  ordinary  transition  systems  allows  for  the  reusing  of  stan¬ 
dard  techniques  and  tools.  In  particular,  it  is  possible  to  associate  to  each  Petri  net 
a  transition  system  which  is  minimal  w.r.t.  those  associated  to  history-preserving 
bisimilar  nets.  As  far  as  we  know,  this  is  the  first  approach  which  leads  to  minimal 
realizations  for  Petri  nets  up  to  history-preserving  bisimulation  and  for  CCS  with 
localities. 
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The  structure  of  the  paper  is  as  follows.  In  Section  2  causal  automata  and 
bisimulation  on  causal  automata  are  defined,  whereas  in  Section  3  it  is  sketched 
how  Petri  nets  and  CCS  with  localities  are  mapped  into  causal  automata.  In 
Section  4  ordinary  automata  are  obtained  from  causal  automata  and  in  Section  5 
an  algorithm  and  a  tool  are  described  which  exploit  the  proposed  approach. 

2.  Causal  automata 

In  this  section  we  define  causal  automata.  They  are  a  model  for  describing 
systems  whose  transitions  may  refer  to  previous  transitions.  Since  these  references 
can  be  used  to  represent  dependencies  and,  hence,  partial  orders,  it  is  clear  that 
causal  automata  are  an  interesting  operational  model  for  partial  order  semantics. 
We  also  equip  causal  automata  with  an  abstract  semantics  based  on  bisimulation. 

Definition  2.1  (causal  automaton).  Let  Af  be  a  fixed  infinite  denumerable 
set  of  event  names. 

A  causal  automaton  is  a  tuple  A  =  {Q,w,  h-»,<?o)  where: 

•  Q  is  a  set  of  states ; 

•  w  :  Q  ->  V{(A f)  associates  to  each  state  a  finite  set  of  names; 

•  h-ms  a  set  of  transitions ;  each  transition  has  the  form  q  A*.  q* ,  where: 

M 

-  q,  qf  E  Q  are  the  source  and  target  states; 

—  a  €  Labels  is  the  label ; 

-  M  Cw(q)  are  the  dependencies  of  the  transition; 

—  a  :  w(qf )  <-¥  w{q)  U  {*}  is  the  injective  (inverse)  renaming  for  the 
transition;  the  special  mark  *  £  Af  is  used  to  recognize  in  the  target 
state  the  name  corresponding  to  the  current  transition; 

•  Qo  E  Q  is  the  initial  state ;  we  require  that  w(<?o)  =  0- 

A  causal  automaton  is  hence  an  automaton  particularly  suited  for  dealing  with 
dependencies  between  transitions.  Each  state  q  is  labeled  by  the  set  w(q)  of  names, 
which  correspond  to  the  past  events  that  can  still  (but  not  necessarily  will)  be 
referenced  in  the  future  behaviors.  These  names  have  a  meaning  that  is  local, 
private  to  the  state.  Hence,  the  particular  choice  of  names  cannot  by  itself  make  a 
distinction  between  two  states  of  the  causal  automaton. 

Each  transition  A^  depends  on  the  past  transitions  identified  by  M.  Due  to 

M 

the  local  meaning  of  names,  each  transition  must  also  specify  the  correspondence 
between  the  names  of  the  source  and  those  of  the  target.  This  correspondence  is 
obtained  via  the  renaming  <7,  which  permits  also  to  deduce  which  names  of  the 
source  are  forgotten  in  the  target;  the  name  (if  any)  used  in  the  target  state  to 
represent  the  current  transition  in  mapped  into  the  special  mark  ★. 

If  there  are  invisible  transitions,  as  for  instance  in  CCS,  we  add  to  the  automata 
a  new  kind  of  transitions,  which  has  the  form  q  A*  q'. 

On  causal  automata  a  bisimulation  cannot  simply  be  a  relation  on  states:  also 
a  partial  correspondence  between  the  names  of  the  states  has  to  be  specified  and 
the  same  pairs  of  states  can  be  in  relation  via  more  than  one  correspondence. 

Definition  2.2  (bisimulation  on  causal  automata).  A  causal  bisimulation  for 
two  causal  automata  A  and  B  is  a  set  1Z  of  triples  such  that: 

•  if  (p,<5,g)  E  1Z  then  p  e  Qa,  Q  €  Qb  and  <5  is  a  partial  injective  function 
from  wa(p)  to  wsiq)] 
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•  (qoA,$,qoB)  e  1Z; 

•  if  (P,  8,q)  £lZ  and  p  A*  p*  in  A  then  there  exist  some  q  A  D  q(  in  B  and 

M  5(My 

some  8f  such  that  (p',  5',  qf)  £  1Z  and  S'(m)  —  n  implies  a(m)  =  ★  =  p(n)  or 
8(a(m))  =  p(n ); 

•  if  (p,  8,  q)  £  1Z  and  q  A*  q '  in  B  then  there  exist  some  p  A  0  pr  in  A  and 

some  8*  such  that  (p',  S',  qf)  £  1Z  and  <S'(m)  =  n  implies  cr(m)  =  ★  =  p(n)  or 
8(cr(m))  =  p(n). 

The  causal  automata  A  and  B  are  bisimilar ,  written  A  ~ca  B ,  if  there  is  some 
bisimulation  for  them. 

Notice  that  if  p  and  q  correspond  via  8  in  some  bisimulation  1Z ,  then  to  each 
transition  of  p  a  transition  of  q  must  correspond,  such  that  i)  the  two  transitions 
perform  the  same  action,  ii)  they  depend  on  the  same  past  events  (via  J),  and  in) 
the  reached  states  correspond  in  1Z  via  some  8f  which  relates  two  names  of  the  target 
states  only  if  they  both  are  the  names  corresponding  to  the  current  transitions  or 
if  they  are  related  by  8  in  the  source  states. 

The  definition  of  bisimulation  can  be  easily  extended  to  causal  automata  with 

A  transitions.  Moreover,  it  is  also  possible  to  define  a  weak  causal  bisimulation, 

which  allows  each  transition  Aa  to  be  simulated  with  a  suitable  sequence  of  tran- 

M 

sitions  •— 1  *  *  ’  • 

We  conclude  this  section  with  a  remark.  The  idea  of  using  names  to  model 
dependencies  is  not  new.  It  has  been  introduced  for  instance  in  [5]  and  in  [3,  4,  12], 
There,  however,  names  are  global  and  syntactic  (they  appear  in  the  terms  describing 
the  system).  In  the  case  of  causal  automata,  instead,  names  are  local  to  states  and 
are  semantic  objects;  this  has  the  double  advantage  of  making  possible  to  work 
directly  on  names  —  for  instance  by  discarding  some  of  them  from  an  automaton, 
as  we  will  do  in  Definition  4.2  —  and  of  allowing  those  states  to  collapse  which 
differ  just  for  the  syntactical  choice  of  names.  Moreover,  we  will  see  in  Section  4 
that,  by  fixing  a  strategy  for  choosing  new  names,  it  is  possible  to  generate  ordinary 
transition  systems  from  causal  automata.  To  have  a  model  which  is  independent 
from  the  allocation  strategy  of  names  is  interesting  in  itself,  also  since  different 
strategies  have  been  actually  proposed  in  the  literature. 

3.  Causal  automata  for  partial  order  systems 

In  this  section  we  show  how  it  is  possible  to  translate  two  classical  non-inter¬ 
leaving  models  of  concurrency  —  Petri  nets  with  process-based  semantics  [9,  1] 
and  CCS  with  localities  [3,  4]  —  into  causal  automata. 

Causal  automata  can  be  associated  also  to  other  models  —  as,  for  instance, 
CCS  with  causality  [5]  —  using  techniques  similar  to  those  used  in  the  two  cases 
we  consider. 

3.1.  Causal  automata  for  Petri  nets.  In  the  context  of  Petri  nets  partial 
order  semantics  is  obtained  via  processes.  They  have  been  defined  in  [9]  to  represent 
concurrent  runs  of  the  net.  In  particular,  from  processes  it  is  possible  to  obtain 
the  partial  order  of  the  events  of  the  run,  which  represents  the  causal  dependencies 
between  them  (an  event  directly  causes  another  event  if  it  generates  a  token  which  is 
consumed  by  the  second  event).  A  notion  of  bisimulation,  called  history-preserving 
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bisimulation ,  which  takes  into  account  the  partial  order  behavior  has  been  defined 
in  [20]  for  event  structures.  The  same  notion  has  been  introduced  in  [7]  using 
mixed  ordering  observations.  History-preserving  bisimulation  has  been  applied  to 
Petri  nets  in  [1]. 

Since  processes  grow  during  a  computation,  infinite-state  systems  are  associated 
to  all  nets  which  allow  for  infinite  computations.  Some  alternative  approaches 
[21,  10]  have  been  proposed  so  that  history-preserving  bisimulation  can  be  checked 
also  for  classes  of  nets  with  infinite  behaviors,  namely  safe  nets.  Essentially,  in  those 
approach  it  is  shown  how  it  is  possible  to  remember  just  a  finite  part  of  the  past 
history  of  a  computation  in  order  to  decide  equivalence  of  nets. 

In  [13]  decidability  of  history-preserving  bisimulation  on  Petri  nets  has  been 
extended  to  a  more  general  subclass  of  P/T  nets,  using  causal  automata.  Now  we 
summarize  the  approach  of  [13]. 

Essentially,  a  P/T  net  is  defined  by: 

•  a  set  S  of  places ;  each  place  is  supposed  to  contain  a  certain  number  of 
tokens;  a  state  of  the  net  is  then  represented  by  a  function  m  :  S  ->  N, 
called  a  marking ,  which  describes  the  distribution  of  tokens  in  the  places; 

•  a  set  T  of  transitions;  each  transition  fires  erasing  a  certain  number  of  tokens 
from  some  places  of  the  net  and  adding  a  certain  number  of  new  tokens  to 
some  possibly  different  places;  transition  t  is  enabled  at  marking  m  if  m 
contains  enough  tokens  in  the  places  and  in  this  case  we  write  m  -4  m', 
where  ra'  is  the  suitably  updated  marking; 

•  a  labeling  function  for  the  transitions  l  :T  Labels ; 

•  an  initial  marking  mo. 

A  formal  definition  of  P/T  nets  and  of  history-preserving  bisimulation  on  them  can 
be  found  in  the  Appendix. 

As  mentioned  above,  the  classical  definition  of  history-preserving  bisimulation 
is  based  on  processes.  Not  all  the  informations  carried  by  processes,  however,  are 
used  in  the  bisimulation.  Now  we  define  configurations,  which  contain  only  the 
informations  of  processes  which  are  relevant  to  bisimulation. 

Definition  3.1  (configuration).  Let  AT  be  a  P/T  net.  A  configuration  for  N 
is  a  tuple  c  =  ( E ,  p,  <),  where: 

•  E  is  a  set  of  events ; 

•  p  :  S  x  (E  U  init)  — ►  N; 

•  <  is  a  partial  ordering  for  E. 

We  require  that,  for  each  e  E  E,  J28€S  P(s>e)  >  0* 

The  initial  configuration  for  N  is  cq(N)  =  (0,po,0),  where  p0(s,  init)  =  m0(s)  for 
all  s  €  S. 

In  a  configuration,  the  set  E  represents  (part  of)  the  past  events.  Since  we 
are  interested  in  a  partial  order  semantics,  a  partial  order  is  defined  on  E ,  which 
represents  the  causal  dependencies  between  the  past  events.  Function  p  represents 
the  current  marking  of  the  net;  instead  of  simply  defining  how  many  tokens  are  in 
each  place  of  the  net,  it  also  remembers  which  events  generated  these  tokens  (init 
is  a  special  mark  used  for  the  tokens  in  the  initial  marking). 

We  require  that  in  a  configuration  only  the  events  are  remembered  which  gen¬ 
erated  tokens  still  present  in  the  net.  This  is  important  to  obtain  a  finite  number 
of  different  configurations  also  for  certain  classes  of  nets  with  infinite  behaviors. 
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It  is  possible  to  define  transitions  on  configurations1 :  essentially  c  -4  d  if  c'  is 
obtained  from  c  by  performing  transition  t  of  the  net.  Tokens  are  discarded  and 
added  according  to  the  pre-  and  post-conditions  of  the  net;  events  which  have  no 
more  tokens  are  discarded,  whereas  a  new  event  e  is  added  and  the  tokens  generated 
by  the  transition  are  associated  to  e;  suitable  dependencies  for  e  are  added  to  the 
partial  order,  following  the  rule  that  e  directly  depends  on  all  the  past  events 
which  generated  tokens  consumed  by  the  transitions.  These  events  are  called  the 
immediate  causes  of  the  transition;  we  denote  with  lC(c  -4  c')  the  set  of  immediate 
causes  of  transition  c  -4  d. 

When  a  causal  automaton  is  generated  from  a  net,  states  of  the  automaton 
correspond  to  configurations  of  the  net.  However,  to  obtain  a  compact  automaton, 
it  is  important  to  identify  configurations  which  are  isomorphic.  This  can  be  ob¬ 
tained  by  fixing  a  representative  for  each  class  of  isomorphic  configurations  and  by 
defining  a  function  norm  such  that  norm(c)  =  ( c',  a)  where  d  is  the  representative 
of  the  class  of  configurations  isomorphic  to  c  and  a  is  the  bijection  between  Ec>  and 
Ec. 

Now  we  are  ready  to  show  how,  given  a  net,  it  is  possible  to  build  the  causal 
automaton  corresponding  to  it,  by  using  its  behavior  on  configurations. 

Definition  3.2  (from  nets  to  causal  automata).  The  causal  automaton  cor¬ 
responding  to  P/T  net  N  is  aut(iV)  =  (Q,w,^-,co),  where  Co  £  Q  is  the  initial 
configuration  for  N  and  whenever  c  £  Q  then: 

•  w(c )  =  Ec ; 

•  if  c  -4  c'  and  ( c ",  a)  =  norm(c')  then  c"  £  Q  and  c  Ar*/gi00.  c",  where: 

~  a  =  l(t ), 

“  e  =  Ec>  \  Ec  (if  Ec>  \  Ec  =  0  then  we  can  assume  e  =  *),  and 

-  M  are  the  events  in  lC(c  -4  c')  which  are  maximal  w.r.t.  <c. 

Notice  that  the  renaming  corresponding  to  a  transition  on  the  causal  automaton 
is  obtained  from  the  bijection  defined  by  function  norm:  it  is  sufficient  to  re-direct 
the  new  name  e  to  ★.  Moreover,  the  maximal  causes  of  the  transition  are  used  as 
dependencies  in  the  automaton. 

This  construction  generates  finite  causal  automata  for  the  finite  nets  which  are 
n-safe  for  some  n,  i.e.,  for  the  nets  whose  reachable  markings  have  n  or  less  tokens 
in  each  place. 

The  general  definition  of  bisimulation  on  causal  automata  exactly  matches  the 
classical  definition  of  history-preserving  bisimulation  on  nets,  as  it  is  proved  in  [13]. 

Theorem  3.3.  Given  two  P/T  nets  Nx  and  N2,  aut(iVi)  ~ca  aut(iV2)  iff 

~hp 

3.2.  Causal  automata  for  CCS  with  locations.  The  location  semantics 
for  CCS  we  consider  has  been  introduced  in  [3,  4].  It  discriminates  CCS  agents  also 
with  respect  to  how  their  computations  are  distributed  in  space;  to  each  sequential 
component  of  the  agent  a  different  location  is  assigned  and  two  agents  are  equivalent 
if  they  can  bisimulate  by  performing  the  same  actions  in  the  same  locations. 

The  syntax  of  CCS  is  enriched  with  a  location  prefix  operator  l::p  meaning 
that  l  €  Loc  is  the  location  of  agent  p;  the  nesting  of  location  prefixes  represents 


^ee  [13]  for  a  formal  definition  of  c4c'. 
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the  sublocalities  relation  for  the  agent.  Whenever  an  action  is  performed,  a  new 
sublocation  is  created  for  the  subagent  activated  by  the  action;  the  location  in  which 
an  action  occurs  is  added  to  the  label,  so  that  transitions  have  the  form  p  A  p ', 

u 

where  u  =  l\lz  .  •  •  ln  is  a  sequence  of  locations. 

For  instance,  agent  l  ::(a.b.p  |  c.q)  can  perform  the  following  computation: 

l  ::(a.b.p\c.q)  A  l::(m::b.p\c.q)  A  l  ::(m  ::  b.p  \  n  ::  q)  \  l  ::(m::o::p\n::q). 

lm  In  Imo 

We  say  that  two  agents  p  and  q  are  location  equivalent  ( p  ~ioc  q)  if  each 
transition  of  one  of  the  agents  is  matched  by  a  transition  of  the  other  agent  so  that 
the  two  transitions  correspond  to  the  same  action  and  occur  in  the  same  location, 
and  the  target  agents  are  still  equivalent. 

This  is  the  standard  approach  of  [3,  4].  The  problem  is  that  locations  are 
created  but  never  forgotten,  so  that  location  prefixes  continue  to  grow  during  the 
computation. 

In  [15]  a  slightly  different  approach  is  followed.  Here,  we  just  explain  the  main 
ideas  and  we  refer  to  [15]  for  the  formal  definitions. 

First  of  all,  we  can  notice  that  the  location  relation  of  a  particular  state  can  be 
deduced  also  by  observing  the  labels  of  the  past  computation:  for  instance,  by  just 
observing  the  labels,  we  know  that,  in  the  final  state  of  the  computation  above,  n  is 
a  sublocation  of  l  and  o  is  a  sublocation  of  m  and  1.  So,  instead  of  representing  the 
sublocation  relation  directly  in  the  terms,  a  flat  structure  can  be  given  to  locations: 
each  agent,  up  to  suitable  structural  axioms,  has  then  the  form: 

(h  "Pi  |*2  ::P2  |  ***|  ln"Pn)  n  R 

where  pi  do  not  contain  location  prefixes  and  R  is  the  set  of  restricted  channels. 

The  previous  computation  can  then  be  rewritten  as  follows: 

l::(a.b.p\c.q)  A  m ::  b.p  \  l  ::c.q  A  m::b.p\n::q  A  o::p\n::q. 

lm  In  mo 

If  we  assume  that  p  =  rec  x.b.x  and  q  =  rec  x.c.x  we  see  that  the  second  state  and 
the  final  state  of  this  computation  are  the  same  up  to  the  choice  of  location  names; 
this  was  not  true  in  the  approach  of  [3,  4]. 

The  fact  that  the  location  names  are  different  in  the  two  states  becomes  inessen¬ 
tial  when  we  map  agents  on  causal  automata;  in  fact,  we  define  a  function  norm 
that,  given  a  agent  p,  returns  a  pair  (p',<7 ),  where  p'  is  obtained  from  p  by  nor¬ 
malizing  the  location  names  and  a  describes  which  location  of  p  corresponds  to  a 
location  of  p'.  CCS  agents  can  now  be  mapped  on  causal  automata. 

Definition  3.4  (from  CCS  agents  to  causal  automata).  Let  Zinit  be  a  special 
location  and  let  po  be  a  CCS  agent  without  location  prefixes.  The  causal  automaton 
aut(po)  =  (£?,  w,»-»,go)  is  so  defined: 

•  QO  =  Zinit  "PO  £  Q] 

•  w(p)  are  those  locations  appearing  in  p  which  are  different  from  Zinit; 

•  whenever  p  E  Q,  p  A  p'  and  {p",  a)  =  norm(p')  then  p"  £  Q  and: 

lm 

~  P  ^[*/ml0<T  ^  ^  ^  ^  Zinit, 

-  P  ^[*/m]°<r  P"  if  1  = 
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Also  in  this  case,  the  general  definition  of  bisimulation  on  causal  automata  ex¬ 
actly  matches  the  ordinary  definition  of  location  equivalence,  as  it  is  shown  in  [15]. 

Theorem  3.5.  Given  two  CCS  agents  p  and  q,  p  q  iff  aut(p)  ~ca  aut(g). 

In  this  case,  with  some  garbage  collecting  of  terminated  (i.e.,  nil)  subagents, 
finite  causal  automata  can  be  obtained  for  the  class  of  finitary  agents.  An  agent 
is  finitary  if  all  agents  which  are  reachable  from  it  have  a  bounded  number  of 
non-terminated  parallel  components. 

4.  From  causal  automata  to  ordinary  automata 

In  the  construction  of  the  causal  automata,  we  consider  only  names  of  past 
events  which  are  referenced  in  the  present  state.  In  fact,  the  remaining  names 
cannot  for  sure  be  relevant  for  the  future  computation.  However  it  can  happen  that 
some  of  the  names  associated  to  a  state  are  never  referenced  in  future  computations. 
These  names  can  be  safely  discarded  from  the  automaton,  obtaining  a  more  compact 
structure. 

Definition  4.1  (active  names).  Given  a  causal  automaton  A,  the  sets  of  ac¬ 
tive  names  corresponding  to  the  states  of  A,  denoted  by  an (p)  with  p  G  Qa,  are 
the  smallest  sets  such  that: 

•  if  p  &<r  p '  then  M  C  an(p); 

M 

•  if  p  Pf ,  m  €  an (pf)  and  <r(m)  ^  ★  then  a (m)  6  an(p). 

Definition  4.2  (irredundant  reduction).  Let  A  =  (Q,w,*-+,q0)  be  a  causal 
automaton.  Its  irredundant  reduction  is  the  causal  automaton  JJ  A  =  ( Q ,  an,  q0) 
where  i-V  is  obtained  from  1-4  by  restricting  the  renamings  to  the  active  names  of 
the  target  states. 

We  say  that  an  automaton  A  is  irredundant  if  fyA  =  A. 

Proposition  4.3.  Let  A  be  a  causal  automaton.  Then  ^ A  ~ca  A. 

A  causal  automaton  A  can  be  visited  beginning  from  the  initial  state.  In  this 
visit,  the  global  meaning  of  the  private  names  of  the  reached  states  is  made  explicit2. 
If  the  global  meaning  corresponding  to  the  names  of  a  reached  state  p  is  given  by 
a  :  w(p)  M  and  transition  p  q  is  followed,  the  global  meaning  for  q  is  given 

essentially  by  a  o  p.  However,  a  global  meaning  has  to  be  associated  also  to  the 
name  created  in  the  transition  (the  name  of  the  target  state  mapped  in  ★  by  the 
transition  renaming).  To  this  purpose  we  use  a  function  new,  which  gets  a  transition 
P  p*  and  a  global  meaning  a  for  the  names  of  p  and  returns  a  new  name.  A 
possible  definition  of  new  is  as  follows: 

new (p  p',  cr)  =  min{V  \  <r(p(w(p')))} 

This  means  that  the  first  name  is  chosen,  that  is  not  already  used  in  the  target 
state.  Other  allocation  strategies  can  be  adopted  by  changing  function  new. 

To  formalize  the  idea  of  visiting  a  causal  automaton  A,  we  associate  to  A  a 
standard  labeled  transition  system  (called  the  unfolding  of  A);  each  state  of  the 


2  A  state  can  be  visited  more  than  once,  with  different  meanings  for  its  private  names. 
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unfolding  is  a  pair  (state  of  the  causal  automaton,  global  meaning  of  its  names) 
and  each  transition  has  the  form 

(p,<7)  4  <pV) 

m,M 

where  a  is  an  action,  M  are  the  names  the  action  depends  from  and  m  is  the  newly 
created  name. 

DEFINITION  4.4  (unfolding).  The  unfolding  corresponding  to  a  causal  automa¬ 
ton  A  =  (Q,  is  the  labeled  transition  system  unf(A)  =  (Qu,->,Qou)  de¬ 

fined  as  follows: 

•  the  initial  state  is  qou  =  ( qo ,0)  €  Qu\ 

•  if  (p,  c r)  E  Q u  and  p  Ap  pf  then  (p',c r')  E  Qu  and  (p,a)  A  (p',<t'),  where 

M  m,M ' 

a'  =  (a  U  (*,  m))  o  p,  M'  =  cr(M)  and  m  ~  new (p  Ap  pf ,  cr). 

M 

It  is  easy  to  show  that  there  are  equivalent  causal  automata  with  non-equivalent 
unfoldings.  This  happens  because  two  equivalent  states  of  the  causal  automata  can 
have  a  different  number  of  names,  and  in  the  unfolding  this  can  lead  to  different 
choices  for  the  new  names. 

The  following  theorem  expresses  an  important  result  of  this  paper:  given  two 
irredundant  causal  automata,  they  are  equivalent  if  and  only  if  the  corresponding 
unfoldings  are  equivalent.  This  allows  us  to  apply  a  standard  partitioning  algorithm 
for  checking  the  equivalence  of  two  automata  and  to  obtain  minimal  (standard) 
automata  corresponding  to  them. 

Theorem  4.5.  If  A  and  B  are  irredundant  causal  automata  then  A  ~ca  B  iff 
unf  (A)  ~  unf  (£?). 


5.  A  tool  for  verifying  causal  automata 

Theorem  4.5  suggests  an  algorithm  for  checking  history-preserving  equivalence 
of  two  systems  based  on  partial  orders: 

1.  construct  (separately)  the  causal  automata  corresponding  to  the  systems; 

2.  discover  (separately)  the  active  names  of  the  two  automata  and  get  the 
irredundant  reductions:  start  marking  the  names  that  are  active  due  to  the 
first  condition  of  Definition  4.1  and  continue  marking  all  the  names  reachable 
following  the  dependencies  in  the  other  condition  of  Definition  4.1;  at  the 
end  discard  the  unmarked  names; 

3.  unfold  (separately)  the  obtained  irredundant  automata; 

4.  use  a  standard  algorithm  for  checking  the  (strong  or  weak)  equivalence  of 
the  obtained  transition  systems  (for  instance,  partition  refinement  [11,  18]). 

Notice  that,  while  step  1  depends  on  the  formalism  in  which  the  systems  are 
described  (CCS,  Petri  Nets,  . . .  )  and  on  the  desired  partial  order  semantics  (lo¬ 
calities,  causality,  . . .  ),  steps  2-4  work  for  generic  causal  automata  and  are  hence 
common  to  all  these  formalisms. 

To  add  a  new  formalism,  moreover,  it  is  sufficient  to  define  a  new  function  which 
maps  systems  described  in  this  new  formalism  into  causal  automata;  obviously,  this 
function  must  map  history-preserving  equivalent  systems  into  equivalent  causal 
automata.  Moreover,  it  has  to  map  an  interesting  set  of  systems  into  finite  causal 
automata.  As  shown  in  Section  3,  this  is  obtained  by  having  a  syntactic  notion  to 
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decide  if  a  past  name  can  be  forgotten  in  a  particular  state.  Step  2  of  the  algorithm 
refines  then  this  notion,  discarding  all  the  inactive  names  that  were  created  during 
the  generation  phase. 

In  the  studied  cases,  the  class  of  systems  which  are  captured  is  very  significant: 
in  the  case  of  CCS  with  localities,  all  the  finitary  agents;  in  the  case  of  Petri  nets, 
all  the  n-safe  nets. 

The  proposed  algorithm  can  also  be  used  to  generate  the  minimal  transition 
system  corresponding  to  a  system;  to  obtain  this,  the  same  procedure  has  to  be 
applied  by  starting  with  just  a  net  and,  at  the  end,  a  minimization  algorithm  has 
to  be  applied.  As  far  as  we  know,  this  is  the  first  approach  which  leads  to  minimal 
realizations  for  Petri  nets  up  to  history-preserving  bisimulation  and  for  CCS  with 
localities. 

A  verification  environment  is  being  developed3  in  Pisa  which  is  based  on  the 
above  approach.  The  tool  is  based  history- dependent  automata  [14],  which  are 
slightly  more  general  than  the  causal  automata  presented  in  this  paper.  In  fact, 
they  model  also  7r-calculus  agents.  The  7r-calculus  is  an  extension  of  CCS  in  which 
channel  names  can  be  used  as  values  in  communications,  allowing  for  dynamic 
creation  of  new  channels;  since  channels  can  be  created  by  some  actions  and  then 
used  in  following  communications,  it  is  clear  that  also  7r-calculus  has  to  deal  with 
dependencies  between  transitions. 

The  environment  provides  a  set  of  tools  on  history-dependent  automata  to  edit, 
visualize,  make  irredundant  and  unfold  them.  A  number  of  front  ends  that  translate 
several  formalisms  into  causal  automata  are  also  planed.  An  existing  verification 
environment  for  process  algebras,  the  JACK  systems  [2],  is  used  instead  to  work  on 
ordinary  automata  (equivalence  checking  and  minimization).  Moreover,  a  model 
checker  for  verifying  logical  properties  of  systems  has  also  been  implemented.  The 
model  checker  allows  the  user  to  check  behavioral  properties  (expressed  in  a  vari¬ 
ant  of  Hennessy-Milner  logic)  directly  on  history-dependent  automata.  Tools  are 
also  under  investigation  that  directly  check  for  bisimulation  and  minimize  history- 
dependent  automata.  The  logical  structure  of  the  verification  environment  is  illus¬ 
trated  in  Figure  1. 
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Appendix 

In  this  appendix  we  present  the  basic  definitions  on  Petri  nets  we  use  in  the 
paper.  Most  of  the  definitions  and  of  the  notations  are  from  [9]. 

Definition  5.1  (net).  A  net  N  is  a  tuple  (S,T,F)  where: 

•  5  is  a  set  of  places  and  T  is  a  set  of  transitions ;  we  assume  S  D  T  =  0; 

•  F  C  (S  x  T)  U  (T  x  S)  is  the  flow  relation. 

If  x  e  5  U  T  then  mx  -  {y  |  (y,x)  €  F}  and  x*  ~  {y  \  (x,y)  6  F}  are  called 
respectively  the  pre-set  and  the  post-set  of  x. 

Let  ° N  =  {x  e  S  U  T  \  *x  =  0}  and  N°  =  {x  €  S  U  T  |  x#  =  0}. 

A  net  N  is  finite  if  5  and  T  are  finite  sets. 

Given  a  net  N  =  (S,T,F),  we  often  write  Sn ,  TW,  FN  for  5,  T,  F.  We  will 
apply  a  similar  convention  also  to  the  other  structures  we  are  going  to  define. 

DEFINITION  5.2  (P/T  net).  A  ( labeled ,  marked)  place/transition  net  (or  sim¬ 
ply  P/T  net)  N  is  a  tuple  (S,  T,  F,  W,  l,  m0),  where: 

•  (S,T,F)  is  a  net; 

•  W  :  F  — >  N+  assigns  a  positive  weight  to  each  arc  of  the  net;  we  sometimes 
assume  that  W  is  defined  on  (S  x  T)  U  (T  x  S)  by  requiring  W(x ,  y)  =  0  if 
(x,y)  £F; 

•  l  :T  Labels  is  the  labeling  function,  where  Labels  is  a  fixed  set  of  action 
labels; 

•  mo  :  S  ->■  N  is  the  initial  marking. 

A  marking  is  a  mapping  m  :  S  -»  N.  It  represents  a  distribution  of  the  tokens  in 
the  places  of  the  net. 

Transition  £  €  T*  is  enabled  at  marking  m  if  m(s)  >  W(s,  £)  for  all  s  €  In  this 
case,  the  firing  of  t  at  m  produces  the  marking  m'  with  m'(s)  =  m(s)  4-  W(£,  s)  - 
W(s,t),  and  we  write  m  A  m;. 

Definition  5.3  (occurrence  net).  An  occurrence  net  is  a  net  K  =  (C,  F, G) 
(in  this  case,  states  are  also  called  conditions  and  transitions  are  also  called  events) 
such  that: 

•  for  all  c  G  C,  \*c\  <  1  and  |c*|  <  1  (conditions  are  not  branching),  and 

•  the  transitive  closure  G+  of  G  is  irreflexive  (the  net  is  acyclic). 

Definition  5.4  (process).  A  process  tt  of  a  P/T  net  N  =  ( S,T,F,W,l,m0 ) 
is  a  tuple  ( C,E,G,p ),  where  K  =  ( C,E,G )  is  a  finite  occurrence  net  and  p  : 
(C  U  E)  (5  U  T)  is  such  that: 

•  P(C)  Q  S  p(E)  C  T; 

•  m0(s)  =  Ip”1^)  fl  °K |  for  all  s  €  5; 

•  W(s,p(e))  =  |{c  G  #e  |  p(c)  =  5}|  and  W(p(e),s)  -  \{c  €  e#  |  p(c)  =  s}|  for 
all  e  G  E  and  all  s  £  S. 

We  write  °7 r  for  °if  and  7r°  for  K°. 

The  initial  process  of  net  N  is  the4  process  7To  (iV)  with  an  empty  set  of  events. 

Let  7r  =  (C,E,G,p)  and  tt'  =  (C',F',G',p')  be  two  processes  of  N.  If: 

•  E'  =  E  U  {e}  for  some  e  #  E; 

4 Notice  that  the  initial  process  of  a  net  is  unique  only  up  to  isomorphism  of  the  set  of  initial 
conditions. 
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•  C'DC; 

•  P'\cuE  =  P 

then  we  write  7r  4  7r',  where  t  =  p'{e). 

Now  we  define  history-preserving  bisimulation.  We  follow  a  classical  character¬ 
ization,  as  it  appears  in  [1]  under  the  name  of  fully  concurrent  bisimulation. 

Definition  5.5  (event  structure).  The  (deterministic)  event  structure  for  pro¬ 
cess  7 r  =  (C,  E,  G,p)  of  net  N  is  the  tuple  ev(7r)  =  (E^F^IeJn  0  p\e )•  An  iso¬ 
morphism  between  two  event  structures  is  a  bijective  function  between  their  events 
which  respects  ordering  and  labels. 

Definition  5.6  (history-preserving  bisimulation).  A  set  1Z  of  triples  is  a  his¬ 
tory-preserving  bisimulation  for  nets  Ni  and  N2  if: 

•  if  (7Ti,  /,  7t2)  G  1Z  then  7Ti  is  a  process  of  iVi,  7t2  is  a  process  of  N2  and  /  is 
an  isomorphism  between  ev(7ir)  and  ev(7r2); 

•  (7To(iVi),0,7ro(Ar2))  e  TZ; 

•  if  (7Ti,/,7r2)  G  1Z  and  tt\  4  then  7r2  %  ^  with  (tt^,/',^)  G  7 Z  and 
f'levfa)  =  /; 

•  if  (7r1}/,7r2)  G  1Z  and  7 r2  4  then  7Ti  4  7r[  with  (t^,/1,^)  €  7Z  and 
/levtTri)  =  /• 

Two  nets  Ni  and  N2  are  history -preserving  bisimilar ,  written  iVi  iV2,  if  there 
is  a  history-preserving  bisimulation  for  them. 
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Transition  Systems  with  Independence  and  Multi-Arcs 
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Abstract.  We  extend  the  model  of  transition  systems  with  independence  in  order  to 
provide  it  with  a  feature  relevant  in  the  noninterleaving  analysis  of  concurrent  systems, 
namely  multi-arcs .  Moreover,  we  study  the  relationships  between  the  category  of  transition 
systems  with  independence  and  multi-arcs  and  the  category  of  labeled  asynchronous  tran¬ 
sition  systems,  extending  the  results  recently  obtained  by  the  authors  for  (simple)  transition 
systems  with  independence  (cf.  Proc.  CONCUR’ 96 ),  and  yielding  a  precise  characterisa¬ 
tion  of  transition  systems  with  independence  and  multi-arcs  in  terms  of  ( event-maximal , 
diamond-extensionat)  labeled  asynchronous  transition  systems. 


Introduction 

Following  the  leading  idea  of  CCS  [12]  and  related  process  calculi  [11,  2, 13, 9],  the 
behaviour  of  concurrent  systems  is  often  specified  ex tensionally  by  describing  their  ‘state- 
transitions’  and  the  observable  behaviours  that  such  transitions  produce.  The  simplest 
formal  model  of  computation  able  to  express  naturally  this  idea  is  that  of  labeled  transition 
systems ,  where  the  labels  on  the  transitions  are  thought  of  as  the  actions  of  the  system  at 
its  ‘external  ports’,  or,  more  generally,  the  observable  part  of  its  behaviour. 

Transition  systems  are  an  interleaving  model  of  concurrency,  which  means  that  they 
do  not  allow  to  draw  a  natural  distinction  between  interleaved  and  concurrent  execution  of 
actions.  More  precisely,  transition  systems  do  not  model  the  fact  that  concurrent  actions 
can  overlap  in  time  and  reduce  concurrency  to  a  nondeterministic  choice  of  action  inter¬ 
leavings,  so  loosing  track  of  the  casual  dependencies  between  actions  and,  consequently, 
of  the  fact  that  computations  that  differ  only  for  the  order  of  independent  actions  represent, 
actually,  the  same  behaviour.  In  other  words,  interleaving  models  abstract  away  from  the 
difference  between  the  factual  temporal  occurrence  order  and  the  more  conceptual  causal 
ordering  of  actions.  The  simplest  exemplification  of  this  situation  is  provided  by  the  CCS 
terms  a  \  b  and  a.b  +  b.a>  both  described  by  the  following  transition  system. 


(1) 


\  A 
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Although  for  many  applications  this  level  of  abstraction  is  appropriate,  for  several  other 
kinds  of  analysis  a  model  may  be  desirable  that  takes  full  account  of  concurrency.  For 
instance,  apart  from  any  philosophical  consideration  about  the  semantic  relevance  of  cause/ 
effect  relationships,  knowing  that  different  interleavings  represent  the  same  behaviour  can 
reduce  considerably  the  state-space  explosion  problem  when  checking  system  properties 
such  as  safety  [8]  and  liveness  properties  [21, 17]. 

Several  efforts  have  been  devoted  to  the  search  of  transition-based  noninterleaving 
models,  e.g.,  transition  systems  enriched  with  additional  features  that  make  expressing 
concurrency  explicitly  possible  (cf.,  e.g.,  [18,  4,  6,  7,  5,  3]).  The  present  paper  focuses 
on  two  such  models,  namely  asynchronous  transition  systems ,  introduced  independently 
by  Bednarczyk  [1]  and  Shields  [20],  and  transitions  systems  with  independence ,  proposed 
by  Winskel  and  Nielsen  [22].  These  two  competing  approaches  are,  among  the  others, 
those  building  on  the  simplest  idea:  endow  transition  systems  with  some  formal  notion 
of  ‘similarity’  of  transitions  that  enables  to  distinguish  whether  or  not  the  opposite  edges 
in  diagrams  such  as  (1)  represent  the  same  action.  Intuitively,  this  is  achieved  in  both 
approaches  by  thinking  of  transitions  as  occurrences  of  events ,  two  transitions  representing 
the  same  event  if  they  correspond  to  the  same  action.  However,  the  differences  induced  on 
the  models  by  the  different  choices  of  how  to  assign  events  to  transitions  are  definitely  not 
trivial.  And  so  are  the  relationships  that  these  models  bear  to  each  other. 

Getting  to  the  details,  asynchronous  transition  systems  assign  events  to  transitions 
explicitly  and  enrich  the  structure  further  by  adding  an  independence  relation  on  the  events 
that  describes  their  causal  relationships.  This  clearly  makes  distinguishing  nondeterminism 
and  concurrency  possible;  a.b  -f  b.a  and  a\b  can  be  represented  respectively  by,  e.g.,  the 
following  labeled  asynchronous  transition  systems,  where  ~  indicates  whether  or  not  the 
events  e  and  ef  (labeled  by  a  and  b)  are  independent. 


Observe  that  here  and  in  the  rest  of  the  paper  we  consider  labeled  asynchronous  transition 
systems  [1,  22],  i.e.,  asynchronous  transition  systems  with  a  further  labeling  of  events,  as 
the  proper  extension  of  labeled  transition  systems. 

The  expressive  power  of  asynchronous  transition  systems  is  clearly  not  limited  to  the 
example  above;  for  instance,  Bednarczyk  [1]  and  Mukund  and  Nielsen  [15]  have  shown 
that  noninterleaving  related  issues  for  CCS  processes  —  such  as  localities  —  can  be  mod¬ 
eled  faithfully  using  this  model.  However,  it  can  be  argued  that  assigning  both  the  inde¬ 
pendence  relation  and  the  decoration  of  transitions  with  events  explicitly  means  assigning 
too  much.  In  fact,  this  obviously  introduces  some  redundancies  in  the  model:  there  are,  for 
instance,  many  non-isomorphic  variations  of  the  asynchronous  transitions  systems  above 
which  can  still  be  reasonably  thought  as  models  of  a\b  and  a.b  +  b.a .  Moreover,  although 
it  is  usually  easy  to  tell  about  independence  of  transitions,  in  many  important  cases  it  is  at 
least  not  immediate  to  assign  events  to  transitions:  it  might  very  well  be  the  goal  of  the 
entire  semantic  analysis  to  understand  what  the  events  of  the  system  and  their  mutual  rela¬ 
tionships  are.  This  consideration  seems  to  indicate  that  asynchronous  transitions  systems 
cannot  have  a  significant  impact  in  Plotkin’s  SOS  style  semantics,  unless  the  independence 
relation  is  promoted  to  a  greater  role. 

Transition  systems  with  independence  are  an  attempt  to  answer  to  the  previous  obser¬ 
vation.  Here  events  are  not  introduced  explicitly.  They  are  rather  derived  from  the  structure 
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of  the  ‘simply-labeled’  transitions,  upon  which  the  independence  relation  is  directly  lay¬ 
ered.  In  such  a  model,  each  of  the  CCS  terms  discussed  above  admits  only  one  transition 
system  which  can  faithfully  represent  it,  viz.,  respectively, 


•  •  •  • 


Js  4  4  4 

•  • 

The  implicit  information  about  events  can  be  easily  deduced  from  the  presence  (or  the 
absence)  of  making  the  achieved  expressive  power  comparable  to  that  of  asynchronous 
transition  systems.  Moreover,  avoiding  a  primitive  notion  of  event  makes  providing  a 
'noninterleaving'  operational  semantics  in  the  SOS  style  a  relatively  simple  task  (cf.  [22]). 

However,  in  order  to  be  consistent  with  the  computational  intuition,  the  axiomatics  of 
transition  systems  with  independence  involves  (apparently  necessarily  [19])  one  condition 
expressed  ‘globally’  in  terms  of  all  the  transitions  representing  occurrences  of  the  same 
event.  This  contrasts  with  the  ‘local’  conditions  defining  asynchronous  transition  systems 
(due  to  the  globally  identified  events)  and  can  make  hard  checking  that  a  given  structure  is  a 
transitions  system  with  independence.  Thus,  the  differences  induced  on  the  two  models  by 
the  choice  of  a  primitive  versus  a  derived  notion  of  event  are  far-reaching  and  seem  to  make 
them  suitable  for  different  applications.  This  indicates  that  it  is  not  wise  to  choose  once  and 
for  all  between  asynchronous  transition  systems  and  transition  systems  with  independence, 
which,  in  turn,  opens  the  issue  of  investigating  formally  their  analogies  and  differences. 

An  exhaustive  analysis  of  this  question  was  carried  out  by  the  authors  in  [10],  show¬ 
ing  that  transition  systems  with  independence,  besides  being  nicely  related  to  a  class  of 
asynchronous  transition  systems  called  extensional,  are  equivalent  to  the  so-called  event- 
maximal  asynchronous  transition  systems.  The  results  of  loc.  cit.  are  summarized  by  the 
following  diagram,  where  TSI,  LATS,  eLATS,  and  meLATS  are,  respectively,  the  cate¬ 
gories  of  transitions  systems  with  independence,  labeled,  extensional,  and  event-maximal 
asynchronous  transitions  systems,  and  where  C-K  ±,  and  =  stand  respectively  for  embed¬ 
dings,  coreflections,  and  equivalences. 

TSI  £- - *•  LATS 

j-r^  j 

meLATS  c - ►  eLATS 

Essentially,  the  extensionality  condition  refers  to  the  existence  of  a  unique  way  to 
‘complete’  pairs  of  independent  transitions  to  ‘ independence-diamonds' .  Also,  it  excludes 
multi-arcs,  i.e.,  multiple  transitions  with  the  same  label  between  the  same  two  states. 
Event-maximality,  on  the  other  hand,  can  be  seen  at  the  same  time  as  identifying  those 
transition  systems  that  make  as  few  identifications  of  transitions  as  possible,  i.e.,  con¬ 
tain  no  confusion  about  event  identities,  and  those  in  which  such  identities  are  derivable 
from  the  independence  relation,  i.e.,  reduce  the  redundancy.  It  is  worth  noticing  here  that 
at  :  eLATS  -*  TSI,  the  right  adjoint  of  the  coreflection,  complements  and  corrects  a  non- 
well-defined  construction  sketched  in  [22]:  as  a  matter  of  fact,  due  to  the  greater  generality 
of  asynchronous  transition  systems,  eLATS  happens  to  be  the  largest  subcategory  of  LATS 
on  which  such  a  construction  makes  sense. 

A  question  left  open  by  [10]  is  whether  or  not  the  need  to  restrict  to  extensional  asyn¬ 
chronous  transition  systems  is  a  consequence  of  the  intrinsic  differences  between  the  two 
notions  of  events  considered,  i.e.,  if  in  order  to  be  able  to  model  situations  ruled  out  by  the 
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extensionality  constraints  it  is  necessary  to  assign  events  explicitly.  This  paper  addresses 
such  a  question;  namely,  we  remove  the  restriction  to  transition  systems  without  multi¬ 
arcs,  relaxing  the  definition  of  transition  systems  with  independence,  and  yielding  the  new 
notion  of  transition  systems  with  independence  and  multi-arcs  ( nonextensional  transition 
systems  with  independence  would  probably  be  a  better  name,  though). 

This  represents,  in  our  view,  an  interesting  enhancement  of  the  model.  In  fact,  in 
noninterleaving  semantics,  to  be  able  to  treat  multi-arcs  is  clearly  very  relevant.  In  a  sense, 
it  can  be  seen  as  allowing  ‘quotienting’  of  the  state-space  while  retaining  full  information 
about  events  and  causality.  As  an  example,  consider  the  CCS  term  (a\b)  4*  a.b,  traditionally 
described  by  the  following  transition  system. 


a\nil 


(a\b)+a.b  ~  nil 


It  is  common  (see  e.g.  [13,  15]  among  others)  to  quotient  the  state-space  by  some  struc¬ 
tural  congruence  that,  e.g.,  collapses  the  states  b  and  nil\b9  obtaining  the  more  compact 
representation  —  with  multi-arcs  —  shown  below. 


Observe  that,  contrarily  to  the  interleaving  case,  it  is  vital  here  to  have  two  different  a - 
transitions,  since  they  rappresent  different  events:  one  is  part  of  the  independence-diamond 
and  is,  therefore,  independent  of  b ;  the  other  is  not. 

In  order  to  justify  our  definition,  we  prove  that,  except  for  the  extensionality  condition, 
the  category  TSIm  of  transition  systems  with  independence  and  multi-arcs  bears  exactly  the 
same  relationships  as  TSI  to  LATS.  More  precisely,  we  prove  that  TSIm  is  coreflective  in 
the  category  dLATS  of  the  diamond- extensional  asynchronous  transition  systems  —  intu¬ 
itively,  those  transition  systems  that  make  no  confusion  about  the  identities  of  the  events 
carried  by  transitions  facing  each  other  in  independence-diamonds.  Similarly  to  the  case  of 
TSI,  dLATS  is  the  largest  subcategory  of  LATS  for  which  such  a  result  holds.  Moreover, 
among  the  diamond-extensional ,  we  identify  the  event-maximal  asynchronous  transition 
systems  and  prove  that  they  induce  the  largest  full  subcategory  of  LATS,  mdLATS,  for 
which  the  coreflection  cuts  down  to  an  equivalence.  This  yields  a  precise  characterisation 
of  TSIm  in  terms  of  LATS  that  extends  the  relationships  between  TSI  and  LATS  discussed 
above:  in  fact,  the  category  of  eLATS  and  its  full  subcategory  meLATS  are,  respectively, 
the  full  subcategories  of  dLATS  and  mdLATS  consisting  of  transition  systems  without 
multi-arcs. 

Summing  up,  this  paper  presents  the  following  diagram  of  formal  relationships  be¬ 
tween  the  new  model  of  transition  systems  with  independence  and  multi-arcs  and  asyn¬ 
chronous  transition  systems  which  can  be  useful  in  practise  to  translate  back  and  forth 
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between  the  two  models  when  the  application  one  has  in  mind  requires  it. 


Although  the  technical  development  here  goes  along  the  lines  of  [10],  and  therefore, 
strictly  speaking,  this  paper  is  simply  an  extension  of  loc.  cit. ,  we  believe  that  the  definition 
of  TSIm  is  a  relevant  contribution  on  its  own. 


1.  Preliminaries 

In  this  section  we  recall  briefly  the  definitions  of  asynchronous  transition  systems, 
transition  systems  with  independence,  and  their  respective  categories  [1, 22]. 

As  discussed  in  the  introduction,  asynchronous  transition  systems  are  simply  transition 
systems  whose  transitions  are  decorated  by  events  equipped  with  an  independence  relation. 
Four  axioms  (A1-A4)  are  needed  to  guarantee  the  intended  meaning  for  the  events  and  the 
independence  relation. 

DEFINITION  1 . 1  (Labeled  Asynchronous  Transition  Systems).  A  labeled  asynchro¬ 
nous  transition  system  (lats  for  short)  is  a  structure 


A  =  (SA,iA,EA,TranA,IA,LA,£A), 


where  ( SA,iA,EA,TranA )  is  a  transition  system  with  set  of  states  SA,  initial  state  iA  €  SA, 
and  transitions  TranA  C  SA  x  EA  x  SA>  and  where  EA  is  a  set  of  events ,  hA  a  set  of  la¬ 
bels,  lA :  Ea  La  a  labeling  function,  and  IACEAxEA,  the  independence  relation,  is  an 
irreflexive,  symmetric  relation  such  that 

Al.  e  €  Ea  ^  3$i,S2  €  SA.  (si,e,S2)  €  TranA; 

A2.  (s,e,si),(s,e,S2)  6  TranA  =>  *i=*2; 


A3.  e\  lA  e2,  (*,<?i,*i),(*,e2,*2)  €  TranA  => 

3m.  ( sue2,u),{s2,el,u )  €  TranA; 


A4.  ei  IAe2,  (s,ei,si),{si,e2,u)  eTranA  => 

3j2.  (s,e2,s2),(s2,ei,u)  €  TranA. 


el  «2 

l/'X, 

*1  **2 

: e\ 

v/ 

.  €2 

s\  } U 

JS2 

2  U 

In  the  rest  of  the  paper  we  shall  let  1(e)  denote  the  set  {e'  |  e  IA  e'}  and,  for  convenience, 
use  (s,ea,s')  as  a  shorthand  for  a  transition  (*,e,*/)  with  tA(e)  =  a. 

The  following  is  the  standard  definition  of  morphisms  for  lats,  which  essentially  mim¬ 
ics  the  idea  of  simulation  (cf.  [1, 22]). 
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Definition  1 .2  (Asynchronous  Transition  System  Morphisms).  For  A  and  A'  lats,  a 
morphism  from  A  to  A'  is  a  triple  of  (partial)  functions1 

(a:  SA  -4  SaMI  :  EA  EAt, X:  LA  — *■  £a')> 
where  (0,T|)  is  a  morphism  of  labeled  transition  systems,  i.e., 

►  c(iA)  =  iA,\ 

>  (sl,e,s2)eTranA,r\(e)l  =>•  (a(si),r|(e),c(.s2))  G  Tra«A'; 

€  TranA,  T|(e)t  =>  c(5i)  =  o(s2 ); 

which  preserves  the  labeling,  i.e.,  makes  the  following  diagram  commutative 

Ea  Ea, 

''1  i‘> 

La 

and  the  independence,  i.e., 

*1  Ia  e2i  r\(e2)i  =>  n(«i)  4'  T|(e2). 

It  is  immediate  to  see  that  lats  and  their  morphisms  form  a  category,  which  we  shall 
refer  to  as  LATS. 

Starting  from  Definition  1.1,  transition  systems  with  independence  attempt  to  simplify 
the  structure  retaining  explicitly  only  the  independence,  now  layered  directly  on  the  tran¬ 
sitions.  As  already  mentioned,  the  notion  of  event  becomes  implicit,  determined  by  the 
independence  relation  through  the  equivalence-classes  of  the  relation 

DEFINITION  1.3  (Transition  Systems  with  Independence).  A  transition  system  with 
independence  (tsi  for  short)  is  a  structure 

T  =  (Sj ,  ij ,  Lj ,  Tranj Jj), 

where  (St,  h,Lj,  Tranj)  is  a  transition  system  and  Ij  C  Tranj  x  Tranj ,  the  independence 
relation,  is  an  irreflexive,  symmetric  relation,  such  that,  denoting  by  ^  the  binary  relation 
on  transitions  given  as 

(.s,a,.si)  -<  (s2,a,u)  if  and  only  if 

3b  €  Lt-  (s,a,si)/r  (s,b,s2), 

{s, a, IT  (si,b,u),  ( s,b,s2 )  IT  ( s2,a,u ), 
and  by  ~  the  least  equivalence  on  transitions  which  includes  it,  we  have 
Tl.  (s,a,si)  ~  (s,a,s2)  =$•  si=.s2; 

T2.  (s,a,si)  IT  (s,b,s2)  =>  3u.  (s,a,si)  IT  (si,b,u),  (s,b,s2)  IT  (s2,a,u); 

T3.  (s,a,Si)  IT  (si,b,u)  =>■  3s2.(s,a,si)IT(s,b,s2),(s,b,s2)IT(s2,a,u)- 

T4.  (s,a,si)  (s2,a,u)  It  (wjbjW1)  =$■  (s,a,s\)  It  {w,b,W). 

The  —-equivalence  classes  are  to  be  thought  of  as  events,  i.e.,  t\  t2  means  that  f! 
and  t2  are  part  of  a  ‘concurrency  diamond’,  whilst  t\  ~  t2  means  that  they  are  occurrences 
of  the  same  event.  Concerning  the  axioms,  notice  then  that  Tl  corresponds  to  A2  and 
axioms  T2  and  T3  correspond,  respectively,  to  A3  and  A4. 

‘We  use,  respectively,  /:  A  -»  B  and  /:  A  -*■  B  to  indicate  total  and  partial  functions.  For  /  a  partial 
function,  f(x)i  (/(*)|)  means  that  /  is  (un)defined  at  x. 
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The  following  definition  of  morphisms  for  transition  systems  with  independence  re¬ 
sembles  closely  the  one  given  above  for  lats. 

Definition  1.4  (Transition  System  with  Independence  Morphisms).  For  T  and  T' 
tsi,  a  morphism  from  T  to  V  consists  of  a  pair  of  (partial)  functions 

(<y;  Sj  — >  Sjr^X:  Lj  — 1  Ljt) 

which  is  a  morphism  of  transition  systems  and,  in  addition,  preserves  independence,  i.e., 

(ji,a,*2)  It  W  A4)>  =* 

(a(ji)A(a),tf(s2))  b  (<J(s,,),M*),a(4)). 

We  shall  use  TSI  to  denote  the  category  of  tsi  and  their  morphisms. 

The  following  lemma  states  that  tsi  morphisms  are  well  defined  as  maps  of  events,  an 
easy  consequence  of  the  fact  that  they  preserve  independence  that  we  shall  use  in  order  to 
embed  TSI  into  LATS. 

Lemma  1 .5  (Morphisms  map  Events  to  Events).  For  (a,X) :  T  ->Tf  a  morphism  of 
tsi ;  (*!,<*, s2)  and  (s/va,sf2)  transitions  of  T ,  (a(5i),&(a),a(j2))  ~  (a(5i),X(tf),a(4)) 
whenever  (s\, a, sf)  ~  (s^^a,^)  andX(a)i,  i.e lats  morphisms  preserve 

2.  Comparing  LATS  with  TSI:  Considering  multi-arcs 

In  this  section  we  first  recall  the  results  of  the  comparison  of  TSI  and  LATS  carried  out 
by  the  authors  in  [10],  and  then,  reconsidering  a  restriction  used  in  loc.  cit.y  we  introduce 
the  notion  of  transition  systems  with  independence  and  multi-arcs  —  i.e.,  tsi  in  which 
multiple  transitions  carrying  the  same  label  are  allowed  between  the  same  two  states.  In 
the  next  section  we  shall  then  perform  an  analysis  matching  that  of  [10],  investigating  the 
relationship  between  such  a  category  and  LATS,  and  showing  that,  in  a  precise  sense,  our 
definition  provides  a  minimal,  conservative  way  to  extend  tsi  with  multi-arcs. 

The  starting  point  of  the  analysis  in  [10]  is  the  obvious  inclusion  ta:  TSI  LATS 
which  acts  on  objects  by  decorating  each  transition  with  the  event  identified  by  the  ~-class 
the  transition  belongs  to,  and  by  inheriting  the  independence  relation  directly  from  the  tsi. 
On  the  opposite  direction,  we  considered  the  ‘abstraction’  at  from  LATS  to  TSI  that  forgets 
the  events  and  brings  the  independence  from  the  events  down  to  the  transitions.  However, 
a  simple  argument  shows  that  the  presence  of  multi-arcs  in  LATS  makes  it  impossible  for 
at  to  be  well-defined  as  a  map  to  TSI.  Thus,  the  very  first  step  of  [10]  is  to  consider  only 
those  lats  A  satisfying 

(Ex)  (si,*?, s2)  ¥=■  (si,e2,s2)  e  TranA  =>  a^b, 

whose  purpose  is  to  forbids  multi-arcs.  This  allows  to  prove  that  the  diamond- extensional 
asynchronous  transition  systems,  whose  definition  follows,  are  exactly  those  lats  A  such 
that  at(A)  belongs  to  TSI. 

DEFINITION  2.1  (Diamond-Extensional  lats).  A  diamond  extensional  labeled  asyn¬ 
chronous  transition  system  (dlats  for  short)  is  a  lats  that  satisfies 

A!3.  e\  IA  e2,  (^,cf,si), (s,e%,s2)  £  TranA  => 

3!  pair  (sltx%,u), (s2, rf,u)  €  TranA.  e\  lA  x2,  e2  IA  x\,  x\  IA  x2\ 

A!4.  e\  lA  e2,  (s,e^,si),{sue2,u)  €  TranA  => 

3!  pair  (r,^,j2),  (s2,x^,u)  €  TranA.  e\  IA  x2,  e2  IA  x\,  x\  1A  x2. 
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The  category  dLATS  is  the  full  subcategory  of  LATS  consisting  of  the  diamond-  extensional 
lats. 


We  call  extensional  the  diamond-extensional  lats  that  in  addition  satisfy  (Ex),  and  we 
denote  by  eLATS  the  full  subcategory  of  dLATS  that  they  determine.  We  can  now  give  the 
formal  definitions  of  the  functors  ta :  TSI  -»•  LATS  and  at  :  eLATS  -»  TSI. 


Definition  2.2  (TSI  <->  LATS).  For  T  a  tsi,  let  ta(T)  be  the  structure 

(ST,iTiEJranJ,LT,t), 

where,  denoting  by  ~  the  equivalence  relation  induced  by  Ij  as  in  Definition  1.3, 

►  E  =  Tranj!~,  the  set  of  ^-classes  of  Tranj\ 

►  7ran  =  {(*[,[(*,, a, s2)]^,*2)  |  (jj.a.jj)  €  TranT}; 

►  if  and  only  if  (si,a,s2)  It  (s’l,a,s'2); 

►  ^([(si,a,J2)]~)  -  a- 

For  (a,X)  ■  T  -4  T  a  morphism  of  tsi,  let  ta((a,X))  be  (<y,r|,A,),  where 

Tl([(W)]~)  =  I  t(aW’X(a)’C(5,))]~  iU(aU’ 

UU  n  ’  \ undefined  ifX(a)t 


The  proof  that  ta  is  well  defined  follows  easily  from  Lemma  1 .5.  Actually,  ta  is  a 
full  and  faithful  functor,  i.e.,  an  embedding  of  TSI  in  LATS.  In  the  following,  when  no 
confusion  is  possible,  we  may  occasionally  omit  the  index  ~  from  the  notation  for  ~- 
classes. 


DEFINITION  2.3  (eLATS  TSI).  For  A  a  lats,  let  at(A)  be  the  structure 

C SA,iA,LA,Tran,I ), 

where 

►  (s,a,f)  ETran  if  and  only  if  (s,ea,f)  G  TranA> 

►  (s,a,s{)  1  (s2,b,s3)  if  and  only  if  (s,eavs{),  {s2,e^s3)  €  TranA,  ex  1A  e2. 

For  (a,  T) ,  X) :  A  Af  a  morphism  of  lats,  let  at  ( (a,  r| ,  X) )  be  (a ,  X) . 

The  result  of  [10]  is  that  ta  and  at  form  a  coreflection  of  TSI  in  eLATS. 

PROPOSITION  2.4  {ta  H  at:  TSI  — ^  eLATS).  TSI  is  coreflective  in  eLATS. 

PROOF.  Subsumed  by  that  of  the  forthcoming  Proposition  3.8.  ^  □ 

The  lats  corresponding  to  tsi  are  characterised  as  the  event-maximal  lats.  Intuitively, 
a  lats  is  event-maximal  if  its  events  and  independence  are  ‘tightly  coupled’,  so  that  one 
cannot  ‘split’  events  without  destroying  the  global  lats  structure.  In  other  words,  the  iden¬ 
tity  of  the  events  in  event-maximal  lats  is  forced  by  the  independence  relation.  This  will 
provide  a  direct  characterisation  of  tsi  in  terms  of  lats 

Definition  2.5  (Event-Maximal  lats).  For  A  a  lats,  e  6  EA,  and  T  C  7^,  where  7>  = 
{(^,e,^)  €  TranA  |  e  =  e}t  let  A[7]  denote  the  replacement  of  e  on  the  transitions  in  T  for 
a  fresh  event  e  #  EA ,  i.e., 

A[T]  =  (SA,iA,EAU{e},Tran,I,LA,e), 

where 

►  Tran  =  ( TranA  \  T)  U  {(si,e,.s2)  |  (ji,e,j2)  €  T}\ 


On  the  Costs  and  Benefits  of  using  Partial-Order  Methods 
for  the  Verification  of  Concurrent  Systems 
(Invited  Paper) 

Patrice  Godefroid 

Abstract.  Verification  by  state-space  exploration  is  one  of  the  most  success¬ 
ful  strategies  for  analyzing  the  correctness  of  finite-state  concurrent  reactive 
systems.  Partial-order  methods  are  algorithms  for  dynamically  pruning  the 
state  space  of  such  systems  without  incurring  the  risk  of  any  incompleteness 
in  the  verification  results.  This  paper  presents  results  of  experiments  per¬ 
formed  with  these  algorithms  on  real  protocol  examples,  and  discusses  the 
practical  significance  of  partial-order  methods. 


1.  Introduction 

State-space  exploration  is  one  of  the  most  successful  strategies  for  checking  the 
correctness  of  finite-state  concurrent  reactive  systems.  It  consists  in  exploring  a 
global  state  graph,  called  the  state  space ,  representing  the  combined  behavior  of 
all  concurrent  components  in  the  system.  Many  different  types  of  properties  of  a 
system  can  be  checked  by  exploring  its  state  space:  deadlocks,  dead  code,  unspec¬ 
ified  receptions,  violations  of  user-specified  assertions,  etc.  Moreover,  the  range  of 
properties  that  state-space  exploration  techniques  can  verify  has  been  substantially 
broadened  during  the  last  decade  thanks  to  the  development  of  model-checking 
methods  for  various  temporal  logics  (e.g.,  [CES86,  LP85,  QS81,  VW86]). 

The  main  limit  of  this  approach  to  verification  is  the  often  excessive  size  of  the 
state  space.  Owing  to  simple  combinatorics,  this  size  can  be  exponential  in  the 
size  of  the  description  of  the  system  being  analyzed.  This  exponentiafgrowth  is 
known  as  the  state- explosion  problem .  The  state-explosion  problem  is  due,  among 
other  causes,  to  the  modeling  of  concurrency  by  interleaving,  or,  more  accurately, 
to  the  exploration  of  all  possible  interleavings  of  concurrent  events.  For  instance, 
the  execution  of  n  concurrent  events  is  investigated  by  exploring  all  n!  interleavings 
of  these  events. 

Recently,  a  collection  of  verification  techniques,  referred  to  as  “partial- order 
methods ”,  have  demonstrated  that  exploring  all  interleavings  of  concurrent  events 
is  not  a  priori  necessary  for  verification.  Indeed,  interleavings  corresponding  to 
the  same  concurrent  execution  contain  related  information.  The  intuition  behind 
partial-order  methods  is  that  concurrent  executions  are  really  partial  orders  and 
that  expanding  such  a  partial  order  into  the  set  of  all  its  interleavings  is  an  inefficient 
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way  of  analyzing  concurrent  executions.  Instead,  concurrent  events  should  be  left 
unordered  since  the  order  of  their  occurrence  is  irrelevant.  Hence  the  name  “partial- 
order  methods”.  However,  rather  than  choosing  to  work  with  direct  representations 
of  partial  orders,  these  algorithms  keep  to  an  interleaving  representation  of  partial 
orders,  but  attempt  to  limit  the  expansion  of  each  partial-order  computation  to 
just  one  of  its  interleavings,  instead  of  all  of  them.  Precisely,  given  a  property 
partial-order  methods  explore  only  a  reduced  part  of  the  global  state  space  that  is 
provably  sufficient  to  check  the  given  property.  The  difference  between  the  reduced 
and  the  global  state  spaces  is  that  not  all  interleavings  of  concurrent  events  are 
systematically  represented  in  the  reduced  one.  In  what  follows,  we  call  “partial- 
order  method”  any  algorithm  for  generating  such  a  reduced  state  space. 

Partial-order  methods  as  defined  above  first  appeared  independently  in  [Val88a, 
Val88b]  and  [God90,  GW91b],  and  were  developed  further  in  [Val90,  GW91a, 
GHP92,  HGP92,  GP93,  Pel93,  Val93,  WG93,  GKPP94,  HP94,  Pel94].  A 
detailed  comparison  of  the  results  published  in  these  papers  is  available  in  [God96]. 
Partial-order  methods  are  now  used  in  several  existing  verification  tools,  and  have 
been  tested  on  numerous  real-protocol  examples  (e.g.,  see  [GHP92,  HGP92, 
HP94,  GPS96]). 

Of  course,  it  has  been  recognized  for  some  time  before  the  early  90’s  that 
concurrency  and  nondeterminism  are  not  the  same  thing.  This  observation  has 
actually  inspired  a  fairly  large  body  of  work  on  so-called  “partial-order  models”  of 
concurrency  (e.g.,  [Lam78,  Maz86,  Pra86,  Win86]).  Work  in  this  area  studies 
various  semantics  for  concurrency,  and  compares  their  properties.  Also,  partial- 
order  temporal  logics  (e.g.,  [PW84,  KP86,  KP87,  Pen88,  Pen90])  have  been 
designed  to  be  semantically  more  expressive  than  previously  existing  (linear-time 
and  branching-time)  temporal  logics.  In  contrast,  partial-order  methods  yields 
results  identical  to  those  of  verification  methods  based  on  classical  interleaving 
semantics,  they  just  make  it  possible  to  perform  the  verification  more  efficiently. 

Several  approximate  methods  based  on  simple  heuristics  have  been  proposed 
to  restrict  the  number  of  interleavings  that  are  explored  [GH85,  Wes86,  Hol87]. 
These  heuristics  carry  with  them  the  risk  of  incomplete  verification  results,  i.e.,  they 
can  detect  errors  but  cannot  prove  the  absence  of  errors.  In  contrast,  partial-order 
methods  reduce  the  number  of  interleavings  that  must  be  inspected  in  a  completely 
reliable  manner,  provably  without  the  risk  of  any  incompleteness  in  the  verification 
results. 

Strategies  for  proving  properties  of  concurrent  systems  without  considering  all 
possible  interleavings  of  their  concurrent  actions  have  been  proposed  in  [AFdR80, 
EF82,  Pnu85,  SdR89,  KP92b,  JZ93].  These  proof  methods  are  applied  in  the 
context  of  an  inference  system,  in  which  the  correctness  of  a  system  is  established 
by  proving  assertions  about  its  components.  This  approach  to  verification  has  the 
advantage  of  not  being  restricted  to  finite-state  systems.  On  the  other  hand,  it 
requires  proofs  that  are  manual.  Even  with  the  help  of  a  theorem  prover,  carrying 
out  proofs  with  a  theorem  prover  is  far  from  fully  automatic  since  most  steps  of 
the  proof  require  inventive  interventions  from  the  user.  In  contrast,  the  focus  of 
the  partial-order  methods  we  discuss  in  this  paper  is  purely  on  algorithmic  issues, 
since  we  discuss  fully-automatic  state-space  exploration  techniques. 

The  idea  that  the  cost  of  modeling  concurrency  by  interleaving  can  be  avoided 
in  finite-state  verification  also  appeared  in  [JK90,  PL90,  McM92,  Esp94].  In 
[JK90],  the  problem  of  finding  an  “optimal”  reduced  state  space  with  just  enough 
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transitions  and  states  to  preserve  Mazurkiewicz’s  trace  semantics  is  addressed. 
In  [PL90],  a  method  that  relies  on  a  pomset  grammar  description  of  the  system  is 
introduced.  Also,  in  [McM92,  Esp94],  one  finds  a  verification  method  that  works 
by  unfolding  a  Petri  net  description  of  a  concurrent  system  into  a  finite  acyclic 
structure.  These  methods  are  quite  different  from  those  discussed  in  this  work. 
Note  that  so  far  none  of  these  other  methods  have  been  widely  experimented  on  a 
large  set  of  realistic  examples,  as  it  has  been  the  case  for  the  partial-order  methods 
discussed  here. 


2.  Basic  Notions 

Consider  a  concurrent  system  composed  of  several  processes.  Let  us  assume 
that  the  system  is  represented  by  a  set  6  of  system  transitions ,  specified  for  instance 
in  some  guarded-command  modeling  language.  The  choice  of  a  particular  modeling 
language  and  semantics  is  not  essential  for  the  following  discussion.  What  matters 
is  that  it  is  possible  to  compute  from  6  a  global  transition  system  Aq  (or  “global 
state  space”)  representing  the  joint  behavior  of  all  the  processes  in  the  system.  For 
the  sake  of  simplicity,  we  will  assume  that  each  transition  of  Aq  corresponds  to  the 
execution  of  one  system  transition  t  E  6.1  We  will  write  s  s*  to  mean  that  the 
execution  of  the  transition  t  £  6  leads  the  system  from  the  state  s  of  Aq  to  the 
state  s'  of  Aq ,  and  s  ^  sf  to  mean  that  the  execution  of  the  sequence  w  E  6*  of 
transitions  leads  from  s  to  s'. 

The  basic  idea  that  enables  us  to  check  properties  of  Aq  without  constructing 
the  whole  of  Aq  is  the  following:  Aq  contains  many  paths  that  correspond  simply 
to  different  execution  orders  of  the  same  system  transitions.  If  these  transitions  are 
“independent” ,  for  instance  because  they  are  executed  by  noninteracting  processes, 
then  changing  their  order  will  not  modify  their  combined  effect. 

This  notion  of  independency  between  transitions  and  its  complementary  notion, 
the  notion  of  dependency,  can  be  formalized  by  the  following  definition  (adapted 
from  [KP92a]). 

Definition  2.1.  Let  6  be  the  set  of  system  transitions  and  D  C  <5  x  6  be  a 
binary,  reflexive,  and  symmetric  relation.  The  relation  D  is  a  valid  dependency 
relation  for  the  system  iff  for  all  ti,t2  £  S,  (ti,t2)  £  D  (tx  and  t2  are  independent) 
implies  that  the  two  following  properties  hold  for  all  global  states  s  in  the  global 
state  space  Aq  of  the  system: 

1.  if  ti  is  enabled  in  s  and  s  ^  s',  then  t2  is  enabled  in  s  iff  t2  is  enabled  in  s' 
(independent  transitions  can  neither  disable  nor  enable  each  other);  and 

2.  if  ti  and  t2  are  enabled  in  s,  then  there  is  a  unique  state  s'  such  that  s  t=$?  s' 
and  s  s'  (commutativity  of  enabled  independent  transitions). 

This  definition  characterizes  the  properties  of  possible  “valid”  dependency  re¬ 
lations  for  the  transitions  of  a  given  system.  Note  that  it  is  not  practical  to  check 
the  two  properties  listed  above  for  all  pairs  of  transitions  for  all  states  in  order  to 
determine  which  transitions  are  independent  and  which  are  not.  Therefore,  in  prac¬ 
tice,  one  uses  easily  checkable  syntactic  conditions  that  are  sufficient  for  transitions 
to  be  independent.  See  [God96]  for  a  detailed  presentation  of  that  topic. 


1  Transitions  are  assumed  to  be  deterministic:  the  execution  of  a  transition  t  in  a  state  s 
leads  to  a  unique  successor  state.  This  is  not  a  restriction  since  “nondeterministic  transitions” 
can  always  be  modeled  by  a  set  of  deterministic  transitions  with  non  mutually  exclusive  guards. 
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Following  the  work  of  Mazurkiewicz  [Maz86],  one  can  use  the  notion  of  inde¬ 
pendent  transitions  to  define  an  equivalence  relation  on  sequences  of  transitions: 
two  sequences  of  transitions  are  equivalent  if  they  can  be  obtained  from  each  other 
by  successively  permuting  adjacent  independent  transitions.  Thus,  given  an  inde¬ 
pendency  relation,  sequences  of  transitions  can  be  grouped  into  equivalence  classes 
which  Mazurkiewicz  calls  traces.  It  is  easy  to  see  that  sequences  of  transitions  w\ 
and  w2  belonging  to  the  same  trace  lead  to  the  same  state  of  A<~.  This  property  is 
basically  what  will  allow  us  to  only  explore  part  of  the  global  state  space  Aq‘  to 
determine  if  a  state  is  reachable  by  a  trace,  it  is  sufficient  to  explore  one  transition 
sequence  corresponding  to  that  trace. 

It  might  thus  appear  that  we  are  using  Mazurkiewicz’s  trace  semantics.  This  is 
not  really  so.  Indeed,  to  view  Mazurkiewicz’s  theory  as  a  semantics,  the  indepen¬ 
dency  relation  should  be  considered  as  part  of  the  semantics:  given  an  independency 
relation,  one  can  determine  the  Mazurkiewicz  semantics  of  a  system.  The  criterion 
for  a  partial  construction  of  the  state-space  would  then  be  that  the  Mazurkiewicz 
semantics  are  preserved.  Here  a  less  restrictive  point  of  view  is  taken.  The  semantic 
criterion  is  that  the  result  of  checking  a  property  in  the  class  of  interest  should  be 
the  same  as  if  checking  the  property  on  Aq .  The  link  with  Mazurkiewicz’s  seman¬ 
tics  is  only  in  the  fact  that  the  algorithms  presented  in  the  next  section  rely  on  the 
concept  of  independency  and  on  the  properties  it  implies.  With  some  algorithms, 
it  is  even  possible  to  use  definitions  of  independence  that  are  weaker  than  the  one 
of  Definition  2.1  (e.g.,  [GP93,  God96]). 


3.  The  Algorithms 

In  this  section,  we  present  the  basic  algorithmic  ideas  used  in  the  style  of  partial- 
order  verification  methods  we  are  considering.  For  simplicity,  we  only  consider  the 
problem  of  detecting  terminating  (deadlock)  states.  In  order  to  check  for  properties 
more  elaborate  than  deadlocks  (such  as  arbitrary  safety  properties  or  linear-time 
temporal-logic  formulas),  it  is  usually  necessary  to  preserve  more  information  in  the 
reduced  state  space  Ar,  i.e,  to  explore  more  states  and  transitions.  This  is  done 
by  enforcing  additional  conditions  that  have  to  be  satisfied  during  the  generation 
of  Ar.  We  refer  the  reader  to  [God96]  for  a  detailed  comparison  of  the  various 
techniques  that  have  been  proposed  to  address  this  problem. 

The  specification  of  the  algorithms  we  discuss  here  is  thus  that  they  should  find 
all  states  of  Aq  with  no  outgoing  transitions  while  exploring  as  small  a  fraction  as 
possible  of  Aq .  All  the  partial-order  algorithms  follow  the  same  basic  pattern:  they 
operate  as  classical  state-space  searches  except  that,  at  each  state  s  reached  during 
the  search,  they  compute  a  subset  T  of  the  set  of  transitions  enabled  at  s  and  explore 
only  the  transitions  in  T,  the  other  enabled  transitions  are  not  explored.  We  call 
such  a  search  a  selective  search .  It  is  easy  to  see  that  a  selective  search  through  Aq 
only  reaches  a  subset  (not  necessarily  proper)  of  the  states  and  transitions  of  Aq- 

Two  main  techniques  for  computing  such  sets  T  have  been  proposed  in  the 
literature.  The  first  technique  actually  corresponds  to  a  whole  family  of  algo¬ 
rithms  [Ove81,  Val91,  GW91b,  GP93].  It  is  shown  in  [God96]  that  all  these 
algorithms  (including  Valmari’s  algorithms  for  computing  “strong  stubborn  sets”) 
compute  persistent  sets.  The  second  type  of  technique  is  the  sleep  set  technique 
(e.g.,  [GW93]).  Interestingly,  these  two  techniques  are  compatible  and  can  be 
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used  simultaneously  to  further  improve  the  selection  of  the  set  T.  We  first  describe 
persistent-set  techniques. 

Intuitively,  a  subset  T  of  the  set  of  transitions  enabled  in  a  state  s  of  Aq  is 
called  persistent  in  s  if  all  transitions  not  in  T  that  are  enabled  in  s,  or  in  a  state 
reachable  from  s  through  transitions  not  in  T,  are  independent  with  all  transitions 
in  T.  In  other  words,  whatever  one  does  from  s,  while  remaining  outside  of  T,  does 
not  interact  with  or  affect  T.  Formally,  we  have  the  following  [GP93]. 

DEFINITION  3.1.  A  set  T  of  transitions  enabled  in  a  state  s  is  persistent  in  s 
iff,  for  all  nonempty  sequences  of  transitions 

£ 1  £2  £  ft  —  1  £ 71 
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from  s  in  Aq  and  including  only  transitions  U  #  T,  1  <  i  <  n,  tn  is  independent 
with  all  transitions  in  T. 

Note  that  the  set  of  all  enabled  transitions  in  a  state  s  is  trivially  persistent 
since  nothing  is  reachable  from  s  by  transitions  that  are  not  in  this  set.  Persistent 
sets  are  very  similar,  although  not  equivalent,  to  the  “faithful  decompositions” 
introduced  (independently)  in  [KP92b]  and  to  the  “ample  sets”  used  in  [Pel93]. 

Let  a  persistent- set  selective  search  be  a  selective  search  through  Aq  which, 
in  each  state  s  that  it  reaches,  explores  only  a  set  T  of  enabled  transitions  that  is 
persistent  in  s,  and  that  is  nonempty  if  there  exist  transitions  enabled  in  s.  It  is 
easy  to  prove  that  a  persistent-set  selective  search  started  from  the  initial  state  of 
Ag  will  explore  all  deadlocks  of  Aq  [God96]. 

Of  course,  the  key  element  required  for  the  implementation  of  a  persistent- 
set  selective  search  is  an  algorithm  for  computing  persistent  sets.  Such  algo¬ 
rithms  [Ove81,  Val91,  GW91b,  GP93]  infer  the  persistent  sets  from  the  static 
structure  (code)  of  the  system  being  verified.  They  differ  by  the  type  of  information 
about  the  representation  of  the  system  that  they  use  (e.g.,  “distinguishing  between 
internal  and  global  transitions” ,  “which  process  can  access  which  variable” ,  “which 
process  can  access  which  variable  from  its  current  location”,  etc.).  The  aim  of  these 
algorithms  is  to  obtain  the  smallest  possible  persistent  sets.  Usually,  the  more  in¬ 
formation  about  the  program  the  algorithm  uses,  the  smallest  the  persistent  set  it 
produces  are,  albeit  at  the  cost  of  a  higher  computational  complexity.  See  [God96] 
for  a  detailed  comparison  of  these  algorithms  and  of  their  complexity.  Note  that 
exploring  the  smallest  number  of  enabled  transitions  at  each  step  of  the  search 
is  only  a  heuristic:  it  does  not  necessary  lead  to  the  exploration  of  the  smallest 
number  of  states  in  Ar. 

The  second  technique  for  computing  the  set  of  transitions  T  to  consider  in  a 
selective  search  is  the  sleep  set  technique  [GW93]  introduced  in  [God90].  This 
technique  does  not  exploit  information  about  the  static  structure  (code)  of  the 
program,  but  rather  about  the  past  of  the  search.  Used  alone  it  reduces  the  number 
of  transitions  explored,  but  not  the  number  of  states  [God96],  which  can  still  be 
very  useful  as  we  will  see  in  Section  6.  Used  in  conjunction  with  a  persistent 
set  technique  it  can  further  reduce  the  number  of  states  explored.  Indeed,  when 
the  persistent  set  technique  cannot  avoid  the  selection  of  independent  transitions 
in  a  state,  sleep  sets  can  avoid  the  exploration  of  multiple  interleavings  of  these 
transitions.  Again,  we  refer  the  reader  to  [God96]  for  a  detailed  presentation  of 
the  sleep  set  algorithm  and  of  its  complexity. 
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4.  How  Can  Partial-Order  Methods  Be  Evaluated? 

How  much  can  one  gain  by  using  these  algorithms?  It  is  very  difficult  to  give 
a  general  answer.  Indeed,  one  can  quite  easily  construct  families  of  systems  for 
which  nothing  is  gained  whatsoever.  Examples  of  such  systems  are  systems  where 
the  coupling  between  the  processes  is  so  tight  that  two  independent  transitions  are 
never  simultaneously  enabled.  (The  system  is  in  fact  purely  sequential.)  In  this 
case,  partial-order  methods  yield  no  reduction,  and  the  selective  search  becomes 
equivalent  to  a  classical  exhaustive  search. 

On  the  other  hand,  it  is  also  easy  to  construct  systems  for  which  the  growth 
of  the  state  space  when  the  number  of  processes  in  the  system  increases  is  reduced 
from  exponential  to  polynomial  by  a  selective  search.  This  is  the  case,  for  instance, 
for  the  well-known  dining-philosophers  example  [Val88a].  Going  one  step  further, 
it  is  also  possible  to  find  examples  of  systems  for  which  the  global  state  space 
increases  in  size  when  the  value  of  some  parameter  grows,  while  the  reduced  state 
space  remains  the  same.  See  Chapter  8  of  [God96]  for  such  an  example. 

Clearly,  by  a  biased  choice  of  examples,  an  arbitrarily  exaggerated  impres¬ 
sion  of  the  improvements  could  thus  be  suggested.  For  instance,  by  setting  the 
number  of  philosophers  to  a  sufficiently  large  number,  we  can  claim  that  we  can 
verify  properties  of  systems  with  astronomical  numbers  of  states,  like  1020  states 
as  in  [BCM+90],  or  even  systems  with  infinite  numbers  of  states.  Of  course,  this 
should  be  taken  with  a  grain  of  salt  since  the  fact  that  checking  only  a  small  part 
of  such  enormous  state  spaces  is  sufficient  only  indicates  that  most  of  the  states  in 
the  global  state  space  are  uninteresting.  This  observation  leads  us  to  the  following 
conclusion:  the  number  of  states  in  the  global  state  space  of  a  system  does  not  give 
a  good  measure  of  its  “complexity”. 

Along  the  same  line  of  thought,  the  study  of  the  asymptotic  behavior  of  the 
function  giving  the  number  of  states  for  different  numbers  of  processes  in  a  system 
is  only  of  limited  practical  interest.  Indeed,  state-space  exploration  techniques  are 
rarely  used  to  verify  systems  composed  of  tens  of  identical  processes.  For  such 
systems,  it  is  preferable  to  use  other  verification  techniques  specially  tailored  for 
proving  properties  of  systems  with  undefined  numbers  of  participants  (e.g.,  [KM89, 
WL89]). 

Consequently,  experiments  with  realistic  examples,  including  industrial-size 
ones,  appear  to  be  the  most  informative  approach  to  evaluating  partial-order  veri¬ 
fication  methods. 


5.  Evaluation 

In  order  to  perform  experiments  on  complex  concurrent  systems,  we  have  imple¬ 
mented  a  selective  search  algorithm  using  persistent  sets  and  sleep  sets  in  an  add-on 
package  for  the  protocol  verification  system  SPIN  [Hol91].  SPIN  is  a  verification 
tool  for  communication  protocols  described  in  the  Promela  language.  Promela  is 
a  nondeterministic  guarded-command  language.  Promela  defines  systems  of  asyn¬ 
chronously  executing  concurrent  processes  that  can  interact  via  shared  variables 
and  message  channels.  Interaction  via  message  channels  can  be  either  synchronous 
(i.e.,  by  rendez-vous)  or  asynchronous  (buffered)  with  arbitrary  (user- specified) 
buffer  capacities,  and  arbitrary  numbers  of  message  parameters.  These  different 
types  of  communication  can  be  combined.  Given  a  concurrent  system  described 
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by  a  Promela  program,  SPIN  can  verify  properties  of  the  system  by  performing  a 
depth-first  search  in  the  global  state  space  of  the  system. 

The  partial-order  package  for  SPIN  that  we  have  developed  is  available  free  of 
charge  for  educational  and  research  purposes  by  anonymous  ftp  from  ftp.monte- 
fiore.ulg.ac.be  in  the  /pub/po-package  directory.  More  information  on  the  partial- 
order  package  can  be  found  in  the  README  file  in  this  directory. 

The  partial-order  package  hats  been  tested  on  various  examples  of  protocols. 
The  aim  of  these  experiments  was  to  determine  the  type  of  reduction  that  can  be 
expected  on  real  protocol  examples  when  using  the  partial-order  verification  algo¬ 
rithms,  and  to  evaluate  the  respective  impact  of  these  algorithms  on  the  reduction 
obtained.  In  this  Section,  results  obtained  with  four  sample  protocols  are  detailed. 

•  PFTP  is  a  file  transfer  protocol  presented  in  Chapter  14  of  [Hol91],  modeled 
in  206  lines  of  Promela.  It  consists  of  three  processes  communicating  via 
FIFO  channels. 

•  MULOG3  is  a  model  of  a  mutual  exclusion  algorithm  presented  in  [TN87], 
for  3  participants,  modeled  in  97  lines  of  Promela.  It  consists  of  six  processes 
communicating  via  FIFO  channels  and  shared  variables. 

•  ABRA  is  a  model  of  the  Abracadabra  protocol  presented  in  [Tur93],  mod¬ 
eled  in  168  lines  of  Promela.  It  consists  of  four  processes  communicating  via 
FIFO  channels. 

•  DTP  is  a  data  transfer  protocol,  modeled  in  406  lines  of  Promela.  It  consists 
of  three  processes  communicating  via  FIFO  channels. 

We  report  here  experiments  performed  using  four  different  algorithms. 

•  DFS  denotes  an  exhaustive  search  performed  in  a  depth-first  order. 

•  SLEEP  denotes  a  selective  search  using  sleep  sets. 

•  PS  denotes  a  selective  search  using  persistent  sets. 

•  PS+SLEEP  denotes  a  selective  search  using  both  persistent  sets  and  sleep 
sets. 

Results  of  these  experiments  are  presented  in  Table  1.  All  experiments  were 
performed  on  a  SPARC2  workstation  with  64  Megabytes  of  RAM,  using  the  Partial- 
Order  Package  version  3.0.  For  each  run,  the  numbers  of  visited  states  and  traversed 
transitions  are  given.  Time  (in  seconds)  is  user  time  plus  system  time  as  reported  by 
the  UNIX-system  time  command.  All  visited  states  are  stored  in  a  hash  table.  To 
avoid  significant  run-time  penalties  for  disk-access,  visited  states  can  only  be  stored 
in  randomly  accessed  memory,  i.e.,  in  the  main  memory  available  in  the  computer 
on  which  the  experiments  are  performed.  Consequently,  parameter  settings  in  all 
the  protocols  considered  were  chosen  to  produce  global  state  spaces  that  can  easily 
be  stored  in  64  Megabytes  of  RAM.  For  each  run,  the  amount  of  memory  used  is 
directly  proportional  to  the  number  of  stored  states. 

From  the  numbers  given  in  Table  1,  two  main  observations  can  be  made  con¬ 
cerning  the  respective  impact  of  persistent  sets  and  sleep  sets  on  the  reduction 
obtained. 

•  Persistent  Sets  yield  the  most  important  reductions  on  the  number  of  vis¬ 
ited  states.  They  can  also  yield  good  reductions  on  the  number  of  explored 
transitions. 

•  Sleep  sets  yield  a  less  impressive  reduction  on  the  number  of  visited  states, 
but  yield  very  good  reductions  on  the  number  of  explored  transitions. 
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Protocol 

Algorithm 

Stored  States 

Transitions 

Time 

PFTP 

DFS 

446,982 

1,257,317 

478.2 

SLEEP 

446,982 

622,364 

639 

PS 

276,722 

482,722 

662.7 

PS+SLEEP 

249,994 

351,633 

684.7 

MULOG3 

DFS 

38,181 

111,668 

25.3 

SLEEP 

38,181 

38,241 

30.5 

PS 

18,537 

38,906 

25.8 

PS+SLEEP 

17,984 

18,057 

26 

ABRA 

DFS 

149,816 

372,010 

494.2 

SLEEP 

149,816 

176,469 

546 

PS 

32,289 

40,931 

166.3 

PS+SLEEP 

27,781 

34,381 

155.7 

DTP 

DFS 

251,409 

648,467 

200.2 

SLEEP 

251,409 

269,912 

189 

PS 

9,904 

10,351 

11.3 

PS+SLEEP 

9,904 

10,351 

11.5 

Table  1.  Evaluation 


For  all  protocols,  the  best  reductions  can  be  obtained  with  PS+SLEEP,  i.e.,  by 
using  simultaneously  persistent  sets  and  sleep  sets.  Using  persistent  sets  and  sleep 
sets  gives  better  reductions  than  using  persistent  sets  alone  in  almost  all  cases.  For 
DTP,  persistent  sets  are  so  good  in  reducing  the  number  of  states  and  transitions 
that  sleep  sets  are  not  able  to  improve  this  result. 

These  results  show  that  using  the  partial-order  methods  discussed  in  this  work 
is  basically  a  no-risk  improvement.  In  the  worst  case,  when  the  reduction  is  not 
sufficient  to  make  up  the  additional  run  time  overhead  (PFTP),  the  selective  search 
can  be  slightly  slower  than  a  classical  search,  but  the  overall  time  complexity  re¬ 
mains  linear  in  the  number  of  explored  transitions. 

Moreover,  using  partial-order  methods  can  strongly  decrease  both  the  time  and 
the  memory  resources  needed  to  verify  properties  of  concurrent  systems  (DTP). 
Therefore,  they  can  be  used  to  verify  more  complex  protocols. 

6.  State-Space  Caching 

Another  observation  that  can  be  made  from  the  results  given  in  Table  1  is  the 
following:  when  using  partial-order  methods,  and  especially  when  using  sleep  sets, 
the  number  of  state  matchings,  i.e.,  the  number  of  visited  transitions  minus  the 
number  of  visited  states,  strongly  decreases.  This  phenomenon  can  be  explained  as 
follows  [GHP92]. 

When  performing  a  classical  search  (like  DFS),  almost  all  states  in  the  state 
space  of  a  concurrent  system  are  typically  visited  several  times.  There  are  two 
causes  for  this: 

1.  From  the  initial  state,  the  explorations  of  all  interleavings  of  a  single  finite 
concurrent  execution  of  the  system  always  lead  to  the  same  state.  This  state 
will  thus  be  visited  several  times  because  of  all  these  interleavings. 

2.  From  the  initial  state,  explorations  of  different  finite  concurrent  executions 
may  lead  to  the  same  state. 
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When  using  partial-order  methods,  and  especially  when  using  sleep  sets,  most  of 
the  effects  of  the  first  cause  given  above  can  be  avoided,  and,  in  many  cases,  most 
of  the  states  are  visited  only  once  during  the  selective  search. 

States  that  are  visited  only  once  do  not  need  to  be  stored  in  memory.  Indeed, 
the  only  reason  why  visited  states  are  stored  in  memory  is  to  avoid  redundant 
explorations  of  parts  of  the  state  space:  when  a  state  that  has  already  been  visited 
is  visited  again  later  during  the  search,  it  is  not  necessary  to  revisit  all  its  successors. 
Unfortunately,  it  is  impossible  to  determine  which  states  are  visited  only  once  before 
the  search  is  completed.  However,  if  most  of  the  states  are  visited  only  once,  the 
probability  that  a  state  will  be  visited  again  later  during  the  search  is  very  small, 
and  the  risk  of  double  work  when  not  storing  an  already  visited  state  becomes 
very  small  as  well.  This  enables  one  not  to  store  most  of  the  states  that  have 
already  been  visited  without  incurring  too  much  redundant  explorations  of  parts 
of  the  state  space.  The  memory  requirements  can  thus  strongly  decrease  without 
seriously  increasing  the  time  requirements. 

State-space  caching  [Hol85,  JJ91]  is  a  memory  management  technique  for 
storing  the  states  encountered  during  a  depth-first  search  that  consists  in  storing 
all  the  states  of  the  current  explored  path  (i.e.,  those  in  the  current  depth-first 
search  “stack”)  plus  as  many  other  states  as  possible  given  the  remaining  amount 
of  available  memory.  It  thus  creates  a  restricted  cache  of  selected  system  states 
that  have  already  been  visited.  Initially,  all  states  encountered  are  stored  into  the 
cache.  When  the  cache  fills  up,  old  states  that  are  not  in  the  stack  are  removed 
from  the  cache  to  accommodate  new  ones.  This  method  never  tries  to  store  more 
states  than  possible  in  the  cache.  Thus,  if  the  size  of  the  cache  is  greater  than  the 
maximal  size  of  the  stack  during  the  exploration,  the  search  is  not  truncated,  and 
eventually  terminates. 

We  have  implemented  such  a  caching  discipline  in  our  partial-order  package. 
The  caching  discipline  can  be  used  with  any  of  the  selective-search  algorithms  that 
were  considered  in  the  previous  section.  Results  of  experiments  with  different  cache 
sizes  and  the  algorithms  DFS,  PS,  and  PS+SLEEP  for  the  MULOG3  protocol  are 
presented  in  Figure  1.  For  each  run,  the  run  time  is  directly  proportional  to  the 
number  of  explored  transitions. 

With  DFS,  these  results  clearly  show  that  the  size  of  the  cache,  i.e.,  the  num¬ 
ber  of  stored  states,  can  be  reduced  to  approximately  the  third  of  the  total  number 
of  states  in  Aq  without  seriously  affecting  the  number  of  explored  transitions  and 
hence  the  run  time.  If  the  cache  is  further  reduced,  the  run  time  increases  dramati¬ 
cally,  due  to  redundant  explorations  of  large  parts  of  the  state  space.  This  run-time 
explosion  makes  state-space  caching  inefficient  under  a  certain  threshold. 

With  PS,  this  threshold  can  be  reduced  to  approximately  the  eighth  of  the  total 
number  of  states.  This  improvement  is  not  very  spectacular  because  the  number  of 
matched  states,  even  when  using  PS,  is  still  too  important  (see  Table  1).  The  risk 
of  double  work  when  reaching  an  already  visited  state  that  has  been  removed  from 
the  cache  is  not  reduced  enough. 

With  PS+SLEEP,  the  situation  is  different:  there  is  no  run-time  explosion 
anymore.  Indeed,  the  number  of  matched  states  is  reduced  so  much  (see  Table  1) 
that  the  risk  of  double  work  becomes  very  small.  When  the  cache  size  is  reduced 
up  to  the  maximal  depth  of  the  search  (this  maximal  depth  is  the  lower  bound  for 
the  cache  size  since  all  states  of  the  stack  are  stored  to  ensure  the  termination  of 
the  search),  the  increase  of  the  number  of  explored  transitions  is  still  less  than  10% 
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Figure  1.  Performances  of  state-space  caching  for  MULOG3 


with  respect  to  the  number  of  transitions  explored  by  PS+SLEEP  when  all  visited 
states  are  stored  in  memory,  i.e.,  without  using  state-space  caching. 

In  other  words,  the  MULOG3  protocol,  which  has  38,181  reachable  states  that 
can  be  visited  by  DFS  in  25  seconds  (see  Table  1),  can  be  analyzed  with  the  same 
run  time  by  using  PS-hSLEEP  and  state-space  caching  while  storing  no  more  than 
150  states.  The  memory  requirements  are  reduced  by  a  factor  of  200  while  the  run 
time  remains  the  same. 

Of  course,  the  practical  interest  of  this  result  is  that  using  partial-order  methods 
and  state- space  caching  together  makes  possible  the  complete  exploration  of  very 
large  state  spaces ,  that  could  not  be  explored  so  far. 

For  instance,  consider  two  other  versions  of  the  MULOG  protocol,  denoted  MU- 
LOG4  and  MULOG5,  with  respectively  four  and  five  participants.  Let  PS+SLEEP- 
+ Caching  denote  a  selective  search  using  persistent  sets,  sleep  sets,  and  state-space 
caching.  Tables  2  and  3  present  results  of  experiments  performed  on  MULOG4 
and  MULOG5  with  the  algorithms  DFS,  PS-j-SLEEP,  and  PS-h SLEEP -h Caching. 
“Stored  states”  is  the  number  of  stored  states  at  the  end  of  the  search.  When  state- 
space  caching  is  used,  the  maximum  number  of  stored  states,  i.e.,  the  size  of  the 
cache,  is  limited  to  300,000  states.  (This  number  is  approximately  the  maximum 
number  of  states  that  can  be  stored  in  RAM  for  MULOG4  and  MULOG5  while  still 
avoiding  any  paging.)  “Cleared  states”  is  the  number  of  times  a  state  was  removed 
from  the  cache.  “Matched  states”  is  the  number  of  state  matchings  that  occurred 
during  the  search. 
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Algorithm 

Stored  St. 

Cleared  St. 

Matched  St. 

Transitions 

Time 

DFS 

- 

- 

- 

- 

- 

PS+SLEEP 

654,600 

0 

6,189 

660,789 

986.4 

(2516.7) 

PS-bSLEEP-bCaching 

300,000 

354,676 

6,198 

660,874 

1122.6 

(1184.4) 

TABLE  2.  Verification  of  MULOG4 


Algorithm 

Stored  St. 

Cleared  St. 

Matched  St. 

Transitions 

Time 

DFS 

- 

- 

- 

- 

- 

PS-bSLEEP 

- 

- 

- 

- 

- 

PS-bSLEEP-bCaching 

300,000 

28,613,162 

349,904 

29,263,066 

60,633.1 

Table  3.  Verification  of  MULOG5 


For  MULOG4,  DFS  was  not  able  to  complete  its  search,  since  its  global  state 
space  is  too  large  to  be  stored  in  (64  Megabytes  of)  memory.  Using  state-space 
caching  with  DFS  does  not  help,  because  of  the  run  time  explosion  mentioned 
above.  MULOG4  can  still  be  verified  using  PS-bSLEEP,  even  without  state-space 
caching.  Real  time  as  reported  by  the  UNIX-system  time  command  is  given  be¬ 
tween  parentheses  below  the  run  time  (user  time  plus  system  time).  The  important 
difference  between  these  two  numbers  for  PS-bSLEEP  is  due  to  paging  (storing 
654,600  states  of  MULOG4  requires  more  than  64  Megabytes  of  RAM,  so  some  of 
them  had  to  be  stored  on  disk). 

For  MULOG5,  the  only  algorithm  that  is  able  to  completely  verify  the  correct¬ 
ness  of  this  protocol  is  PS-bSLEEP-b Caching.  The  complete  selective  search  takes 
approximately  17  hours,  and  explores  29,263,066  transitions.  This  means  that  the 
reduced  state  space  Ar  explored  by  PS-bSLEEP  contains  at  most  29,263,066  states. 
The  size  of  the  global  state  space  Ag  of  MULOG5  is  not  known,  but  is  very  likely 
several  orders  of  magnitude  larger  than  the  largest  state  spaces  that  can  be  explored 
by  other  existing  verification  tools. 

Note  that  the  efficiency  of  the  state-space  caching  technique  can  be  dynamically 
estimated  during  the  search:  if  the  maximum  stack  size  remains  acceptable  with 
respect  to  the  cache  size  and  if  the  proportion  of  matched  states  remains  small 
enough,  the  run-time  explosion  will  likely  be  avoided.  Else  one  cannot  predict  if 
the  cache  size  is  large  enough  to  avoid  the  run-time  explosion. 


7.  Conclusion 

Using  partial-order  methods  is  basically  a  no-risk  improvement  with  respect 
to  a  classical  exhaustive  search  in  the  state  space  of  the  system  being  analyzed. 
Moreover,  partial-order  methods  can  yield  substantial  improvements  in  the  perfor¬ 
mances  of  the  verification.  Therefore,  these  methods  broaden  the  applicability  of 
state-space  exploration  techniques  to  more  complex  systems. 

The  reduction  obtained  depends  on  the  coupling  between  the  processes  in  the 
system.  When  the  coupling  is  very  tight,  partial-order  methods  yield  no  reduction, 
and  the  selective  search  becomes  equivalent  to  a  classical  exhaustive  search.  When 
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the  coupling  between  the  processes  is  very  loose,  the  reduction  can  be  very  im¬ 
pressive.  For  most  realistic  examples,  partial-order  methods  provide  a  significant 
reduction  of  the  memory  and  time  requirements  needed  to  verify  protocols. 

It  is  worth  noticing  that  partial-order  methods  can  already  yield  good  perfor¬ 
mance  improvements  for  verifying  systems  containing  only  a  handful  of  processes. 
It  is  not  necessary  to  consider  systems  composed  of  tens  of  processes  to  obtain  spec¬ 
tacular  reductions.  To  put  it  in  another  way,  the  part  of  the  state  explosion  due  to 
the  exploration  of  all  possible  interleavings  of  independent  transitions  can  already 
be  very  important  for  systems  containing  only  a  few  processes,  and  partial-order 
methods  are  able  to  get  rid  of  most  of  this  explosion. 

This  very  important  point  emphasizes  the  practical  significance  of  partial-order 
methods.  Indeed,  most  of  the  protocol  models  that  are  analyzed  with  state-space 
exploration  techniques  typically  contain  only  a  handful  of  processes.  The  examples 
we  have  considered  in  Section  5  reflect  this  reality.  For  instance,  a  typical  protocol 
example  is  usually  composed  of  a  few  processes  that  communicate  asynchronously 
by  exchanging  messages  through  some  communication  medium,  each  process  being 
described  by  a  long  piece  of  sequential  code,  with  complex  interactions  between 
control  and  data. 

Not  only  these  systems  are  very  frequent,  but  they  are  also  very  hard  to  verify: 
they  are  complex  (several  hundreds  lines  of  (Promela)  code  are  needed  to  model 
these  systems),  and  their  state  spaces  are  highly  irregular.  Specifically,  their  state 
spaces  seem  to  be  much  more  irregular  than,  for  instance,  those  of  systems  composed 
of  many  identical  processes  (or  pieces  of  hardware),  for  which  symbolic  verification 
techniques  are  able  to  capture  the  regularity  of  the  state  space  with  the  guidance 
of  the  user  (see,  e.g.,  [BCM+90,  McM93]).  In  contrast,  for  examples  of  the  type 
we  are  considering  here,  existing  symbolic  verification  techniques  were  reported  to 
be  inferior  to  classical  state-space  exploration  algorithms  [HD93].  Consequently, 
for  this  particular,  though  important,  class  of  systems,  partial-order  methods  are 
one  of  the  most  successful  approaches  to  tackle  the  state  explosion  arising  during 
the  analysis  of  such  systems. 

Finally,  we  have  shown  that  using  partial-order  methods,  and  especially  using 
sleep  sets,  can  substantially  improve  the  state-space  caching  discipline  by  getting  rid 
of  the  main  cause  of  its  previous  inefficiency,  namely  prohibitive  state  matching  due 
to  the  exploration  of  all  possible  interleavings  of  concurrent  executions  all  leading 
to  the  same  state.  Thanks  to  sleep  sets,  the  memory  requirements  needed  to  verify 
large  reduced  state  spaces  can  be  strongly  decreased  (several  orders  of  magnitude) 
without  seriously  affecting  the  time  requirements.  This  makes  possible  the  complete 
exploration  of  very  large  reduced  state  spaces  (several  tens  of  million  states)  in  a 
reasonable  time  (one  night).  Used  together,  partial-order  methods  and  state-space 
caching  significantly  push  back  the  limits  of  verification  by  state-space  exploration. 

Note 

The  results  reported  in  this  paper  appeared  in  [God96]. 
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Abstract 

This  paper  describes  the  current  status  of  the  verification  testbed  PEP  (Pro¬ 
gramming  Environment  based  on  Petri  Nets)  from  a  personal  perspective  of 
the  author.  The  paper  concentrates  on  what  are  perceived  as  the  main  high¬ 
lights  and  the  major  shortcomings  of  PER 


1  Overview  of  PEP 

PEP  [8, 48]  is  a  programming  and  verification  environment  which  is  based  on  Petri 
nets,  but  in  which  nets  play  a  background  role.  Primarily,  the  system  accepts  two 
types  of  input:  a  program  n  written  in  a  concurrent  programming  language  and  a 
property  0  expressed  in  some  temporal  logic  language.  The  atoms  of  0  can,  for 
instance,  refer  to  variables  and/or  to  control  points  of  tt.  Through  a  sequence  of 
compilation  and  verification  steps,  PEP  allows  0  to  be  checked  against  tv,  i.e.  to 
determine  whether  or  not  0  is  true  for  n  (in  other  words,  whether  or  not  jz  is  a 
model  of  0).  Figure  1  describes  the  core  functional  dependencies  between  PEP’s 
implemented  modules. 

The  user  may  input  a  parallel  program  written  in  a  simple  language  called  B(PN )2 
(Basic  Petri  Net  Programming  Notation)  [9].  A  program  may  be  edited  and  compiled 
either  into  a  process  algebraic  expression  of  the  PBC  (Petri  Box  Calculus  [3],  an 
extension  of  CCS  [50])  or  into  a  high-level  Petri  net  of  the  M-net  variety  [6],  and, 
from  either,  further  into  a  1-safe  low-level  net;  both  routes  yield  equivalent  low- 
level  nets.  In  addition,  the  user  may  input  and  edit  a  temporal  logic  formula  which 

*This  work  has  been  supported  by  the  Deutsche  Forschungsgemeinschaft  (DFG)  under  grants  Be 
1267/2-1,  Be  1267/2-2,  Be  1267/6-1,  FI  207/1-1  and  Sta  450/1-1.  Cooperation  with  the  Technische 
Universitat  Miinchen  has  been  supported  by  project  A3  (Spezifikation,  Analyse,  Modellierung)  of 
the  DFG-Sonderforschungsbereich  SFB-342  (Methoden  und  Werkzeuge  fur  die  Nutzung  paralleler 
Rechnerarchitekturen). 
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refers  to  a  program.  This  formula  is  compiled  into  a  formula  referring  to  the  net 
associated  with  the  program,  if  there  exists  one.  It  is  also  possible  to  edit  a  net 
(or  a  formula  referring  to  it),  but  then,  of  course,  the  connection  with  any  program 
(formula)  it  may  have  come  from  is  destroyed. 

Once  the  system  knows  of  a  1-safe  low-level  net  (which  may  have  been  created 
either  directly  or  through  a  program  by  compilation),  the  computation  of  its  finite 
prefix  [43]  may  be  initiated.  This  prefix  represents  the  partial  order  semantics  of 
the  net  in  concise  form.  When  the  finite  prefix  is  constructed,  the  model-checker  is 
ready  to  be  run.  It  accepts  a  (net)  formula  cf>  and  the  finite  prefix,  executes  Esparza’s 
model  checking  algorithm  [21]  and  yields  a  ‘yes’  or  a  ‘no’,  depending  on  whether 
or  not  the  formula  is  true  of  the  net  (and  hence  also  whether  or  not  the  corresponding 
program  formula  -  if  any  -  is  true  of  the  program  -  if  any). 

PEP  also  has  various  sideline  functionalities  in  addition  to  the  mainstream  functio¬ 
nality  just  described.  For  example,  B(PN )2  programs  can  be  created  automatically 
by  input  filters,  for  instance  from  PFA  (Parallel  Finite  Automata)  [29],  There  are 
output  filters  as  well,  for  example  one  for  transforming  a  B{PN )2  program  into 
executable  C  code  [46].  Moreover,  PEP  includes  various  algorithms  to  check  spe¬ 
cific  properties  of  a  net,  some  of  them  without  needing  to  compute  its  prefix.  Also, 
an  alternative  model  checker  (which  does  not  need  the  finite  prefix)  has  been  im¬ 
plemented  for  a  special  class  of  nets  [4,  65].  These  additional  functionalities  are 
represented  by  broken  lines  in  figure  1. 

Section  2  describes  history  and  the  rationale  of  PEP,  section  3  deals  with  the  pro¬ 
gramming  language  and  its  Petri  net  semantics,  and  section  4  describes  some  of  the 
verification  techniques  implemented  in  PEP. 


2  History  and  rationale  of  PEP 

The  PEP  system  unites  two  lines  of  development:  Petri  net  semantics  of  concurrent 
programs  and  verification  algorithms  on  nets  and  their  partial  order  semantics. 

2.1  Petri  net  semantics  of  concurrent  programs 

For  the  verification  of  parallel  algorithms  expressed  in  a  programming  notation, 
verification  techniques  such  as  the  Owicki/Gries  method  [52]  are  available.  For  the 
verification  of  parallel  algorithms  expressed  by  means  of  Petri  nets,  other  verifica¬ 
tion  techniques  such  as  through  S-invariants  and  traps  can  be  applied  [1,  56,  58]. 
Good  programming  notations  come  with  an  indigenous  technique  for  structuring 
programs,  while  Petri  nets  come  with  indigenous  partial  order  semantics  and  ana¬ 
lysis  methods.  Giving  a  net  semantics  to  a  concurrent  language  may  raise  the 
hope  that  both  advantages  can  be  combined,  and  that  verification  techniques  can  be 
transferred  between  programming  languages  and  Petri  nets. 
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Figure  1 :  Functionality  diagram  of  the  PEP  system 


It  may  be  hoped  of  such  a  combination  that  its  compositionality  and  its  usefulness 
are  in  proportion.  For  instance,  if  a  program  is  made  up  of  variables,  sequential 
compositions  and  inner  blocks,  then  it  is  reasonable  to  expect  its  associated  Petri 
net  to  be  made  up  similarly  of  smaller  nets  corresponding  to  the  variables  and  the 
inner  blocks,  and  combined  via  a  sequential  composition  defined  on  nets.  This  calls 
for  a  special  kind  of  algebra  on  nets,  and  the  box  algebra  [3]  has  been  developed 
with  that  aim  in  mind. 

2.2  Verification  algorithms  on  nets  and  their  partial  order  semantics 

On  Petri  nets  there  is  a  tradition  of  relating  graph-theoretical  properties  -  as  well 
as  linear-algebraic  properties  based  on  the  net’s  incidence  matrix  -  to  behavioural 
properties.  For  instance,  if  a  net  is  covered  by  an  S-invariant  [56],  then  it  follows 
that  its  state  graph  (under  any  initial  marking)  is  finite.  Most  conditions  of  this  kind 
are  either  sufficient  or  necessary,  but  not  both.  It  is  reasonable  to  expect  that  fast 
graph-theoretical  algorithms  -  or,  for  that  matter,  fast  linear-algebraic  algorithms 
such  as  linear  programming  -  can  be  exploited  to  check  some  of  these  conditions, 
and  then  to  exclude  or  to  assert  certain  behavioural  properties.  Such  an  approach 
may  be  called  static ,  because  assertions  are  deduced  about  the  state  graph  without 
ever  constructing  any  part  of  it.  Of  course,  there  are  limits  to  this  approach,  but 
nevertheless,  these  limits  are  far  from  being  fully  explored. 

More  recently,  the  static  approach  has  been  extended  to  cover  not  specific  properties 
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but  a  whole  class  of  properties,  i.e.  a  temporal  logic.  Starting  with  an  observation 
by  Javier  Esparza,  we  showed  that  a  small  branching-time  temporal  logic  that  can 
be  characterised  as 

‘propositional  logic  over  places,  plus  the  Diamond  operator’ 

can  be  model-checked  by  linear  algebra  -  without  constructing  the  state  graph 
-  for  safe  T-systems  [4],  which  are  a  class  of  persistent  nets,  i.e.  nets  that  are 
essentially  without  conflicts  and  choices  [39],  It  was  already  clear  at  the  time  of 
writing  of  [4]  it  would  be  difficult  to  generalise  this  result  to  a  larger  class  of  nets. 
Nevertheless,  Javier  Esparza  found  a  way  of  model-checking  the  entire  class  of  safe 
Petri  nets  against  the  same  logic  which  retains  a  key  characteristic  property  of  [4], 
namely  avoiding  the  construction  of  the  state  graph  [21].  He  showed  that  instead 
of  constructing  the  state  graph,  McMillan’s  idea  [43]  of  computing  a  finite  prefix 
of  the  occurrence  net  [20,  51]  of  a  net  can  be  exploited. 

2.3  Historical  remark  and  acknowledgments 

When  the  PEP  project  was  conceived  by  Hans  Fleischhack  and  myself  in  1993,  we 
were  hoping  to  create  not  just  a  testbed  for  checking  the  performance  of  existing 
Petri-net-based  analysis  algorithms  and  for  searching  for  new  algorithms,  but  also 
a  user-friendly  environment  in  which  both  programs  and  nets  can  harmoniously  be 
input,  edited,  related  to  each  other,  simulated,  and  verified.  At  that  time,  all  existing 
Petri  net  tools  were  either  oriented  towards  graphical  input  and  had  no  or  very  little 
analysis  support,  or  were  oriented  exclusively  towards  analysis  without  graphical 
support  (the  most  advanced  system  of  this  kind  being  Peter  Starke’s  INA  [62]). 
None  of  the  systems  had  the  kind  of  close  connection  with  a  concurrent  notation 
that  we  had  envisaged.  Thus,  we  (which  initially  meant  a  group  consisting  of  myself 
and  Bemd  Grahlmann  -  who  has  since  then  been  the  chief  project  researcher  and 
organiser  -  in  Hildesheim  and  another  group  led  by  Hans  Fleischhack  in  Oldenburg) 
took  the  risk  of  starting  an  implementation  effort  from  scratch,  using  only  know¬ 
how  from  the  MOBY  project  at  Oldenburg  [23]  and  input  from  several  students’ 
projects  at  both  sites.  The  DFG  (Deutsche  Forschungsgemeinschaft)  supports  this 
project  with  two  persons  per  year  over  a  period  of  (so  far)  1 993-1 996.  In  the  second 
stage  of  the  project,  1995—1996,  the  Humboldt-Universitat  zu  Berlin  (by  a  group 
led  by  Peter  Starke)  has  joined  the  project. 

PEP  was  lucky  in  getting  quite  a  number  of  good  students  interested  in  the  project 
and  contribute  to  its  realisation  —  names  that  come  to  mind  are  Burkhard  Bieber  [13], 
Matthias  Damm  [16],  Burkhard  Graves  [30],  Tobias  Himstedt  [34],  Lars  Jenner  [37], 
Michael  Kater,  Stephan  Melzer  [46],  Stefan  Romer  [59],  Andree  Seidel  [61]  and 
Thomas  Thielke  [65],  many  of  whom  are  still  working  on  and  around  the  project. 
PEP  was  also  fortunate  to  have  the  strong  and  continued  support  by  Esparza’s 
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research  group  at  the  Technische  Universitat  Miinchen.  By  these  means,  as  well  as 
by  the  fortunate  circumstance  that  the  EU  (European  Union),  DAAD  (Deutscher 
Akademischer  Austauschdienst)  and  its  French  counterpart  provided  funding  for 
related  theoretical  work  (projects  DEMON,  CALIBAN  and  POEM),  it  was  possible 
to  develop  PEP  to  the  point  it  has  now  reached. 

It  is  the  work  of  the  persons  mentioned  in  this  subsection  (and  others),  more  than 
my  own  work,  that  is  described  in  this  paper. 


3  PEP’s  inputs  and  their  semantics 

PEP  primarily  accepts  two  types  of  input:  a  program  written  in  the  language 
B(PN )2  [9]  and  a  property  referring  to  a  program  or  to  its  associated  net.  B(PN)2 
and  its  Petri  net  semantics  are  discussed  in  sections  3.1  and  3.2.  Ways  of  inputting 
properties  are  described  in  section  3.3. 

3.1  PEP’s  programming  language 

Ideally,  the  notation  implemented  in  PEP  was  meant  to  serve  a  similar  purpose  for 
parallel  programs  as  Dijkstra’s  guarded  command  notation  [  1 9]  served  for  sequential 
nondeterministic  programs,  namely  to  represent  algorithms  in  a  ‘pure’  form  while 
having  a  simple  formal  semantics.  However,  at  least  two  additional  questions  are 
raised: 

•  Should  different  hardware  topologies  be  supported?  In  B(PN)2,  the  answer 
is  a  restricted  ‘yes’,  in  the  sense  that  both  shared  memory  and  message-based 
topologies  are  supported.  Message  buffers  may  have  arbitrary  integer  size, 
ranging  from  0  for  handshake  communication  to  oo  for  unbounded  buffers. 
This  may  be  contrasted  with  Occam  [45]  which  is  limited  to  handshake  com¬ 
munication  between  processes  (other  communication  methods  are  possible 
but  have  to  be  implemented  explicitly). 

•  Should  special  features  such  as  priorities  and  interrupts  be  supported?  After 
convincing  ourselves  that  at  least  a  restricted  (i.e.  not  optimally  concurrent) 
formal  semantics  of  priorities  can  be  given  in  terms  of  ordinary  Petri  nets 
[10,  32],  we  have  decided,  for  the  time  being,  not  to  include  priorities  in 
B(PN )2.  This  may  again  be  contrasted  with  occam  which  contains  two 
constructs  for  expressing  priorities  between  activities. 

In  addition,  it  was  decided  that  B(PN)2  should  support  the  following  features: 

•  Explicit  atomic  actions .  B{PN)2  allows  angular  brackets  (. . .)  to  delineate 
atomic  actions.  In  the  translation,  every  such  construct  is  translated  into  one, 
or  a  set  of  alternative,  single  transitions  of  a  Petri  net. 


•  Pre-  and  postvalue  programming  in  predicative  style .  For  instance,  an  atomic 
action  (jc:=y)  would  be  written  as  {xr=fy/\yf=y),  where  'v  and  vf  denote  the 
prevalue  and  the  postvalue,  respectively,  of  v.  The  idea  is  that  an  action 
touches  only  such  variables  mentioned  explicitly  in  it,  and  any  value  change 
making  the  predicate  true  is  acceptable.  Note  the  difference  between  the 
above  action  and  {x'—'y).  For  the  latter,  any  value  change  of  y  would  be 
acceptable  in  addition  to  setting  the  postvalue  of  x  equal  to  the  prevalue  of  y. 

•  Unification  of  shared  memory  and  channel  communication.  To  describe  chan¬ 
nel  communication  in  predicative  style,  we  introduced  cl  and  c!  as  primitives 
denoting  the  value  last  read  on  channel  c  and  the  value  last  output  to  channel 
c,  respectively.  They  are  analogous  to  the  pre-  and  postvalues  of  variables. 

•  Unification  of  choices  and  loops.  B(PN )2  contains  a  single  do . . .  od  clause 
both  for  choices  and  for  loops.  The  symbol  □  separates  alternatives,  which 
can  be  ended  either  by  the  keyword  exit  (indicating  exit  from  the  loop)  or  by 
the  keyword  repeat  (indicating  a  repetition  of  the  loop). 

For  instance,  figure  2  shows  a  three-component  parallel  program  which  exhibits 
both  shared  memory  and  buffered  communication.  Note  that,  due  to  the  channel 
having  capacity  2,  both  values  could  be  deposited  in  it  without  any  value  being  read. 
If  its  declaration  is  changed  to  var  c  :  chan  1  of  {3, 5},  then  at  most  one  value 
could  be  written  before  reading,  and  if  it  is  changed  to  var  c  :  chan  0  of  {3,  5},  then 
writing  and  reading  are  simultaneous.  In  either  case,  any  of  the  states  (y ,  z)=( 3,  3), 
(y,  z)=(3,  5),  (y,  z)=(5,  3)  or  (y,  z)=(5,  5)  could  be  a  result  of  the  program. 


begin  var  x  :  {3, 5};  var  c  :  chan  2  of  {3,  5}; 

(x'=3);  <c!='; caM> 

||  (jt'=5);  <d='x  Ax'='x) 

||  begin  var  y,  z  :  {3,  5};  (y'=c?);  (z'=cl)  end 

end 

■? 

Figure  2:  A  B(PN)2  program  with  three  components  and  an  inner  block 

B(PN)2  has  served  a  useful  purpose  of  representing  algorithms  (or  nets)  linearly. 
However,  it  has  also  turned  out  to  have  at  least  two  shortcomings.  First,  for  any 
large-scale  applications,  it  would  be  indispensable  to  include  recursion,  procedures, 
and  other  features.  Second,  the  core  language  is  perhaps  slightly  too  liberal. 

As  to  the  first  problem,  work  is  in  progress  to  extend  B(PN)2  by  procedures 
while  still  retaining  its  property  of  having  a  compositional  net  semantics  [24,  42]. 
In  a  further  line  of  development,  object-oriented  features  are  being  investigated 
with  respect  to  their  compositional  net  semantics  [41].  These  investigations  are 
encouraging,  in  the  sense  that  all  extensions  seem  to  be  possible  without  significant 
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extension  of  the  existing  Petri  net  model  on  which  the  semantics  of  B(PN)2  is 
based  (section  3.2). 

Secondly,  there  seem  to  be  some  problems  -  or  at  least,  debatable  issues  -  with  the 
prevalue/postvalue  approach  to  atomic  actions  and  their  Petri  net  semantics.  One  of 
these  issues  is  the  (Petri  net)  semantics  of  actions  such  as  ao  =  (true),  a\  =  {x'='x) 
and  a2  =  {*'=*').  At  present,  ao  is  translated  into  a  single  ‘silent’  transition,  a\  is 
translated  into  a  choice  of  transitions  which  access  the  variable  x  but  do  not  change 
its  value,  and  a i  is  translated  into  a  choice  of  transitions  accessing  x  and  allowing 
any  value  change.  Operationally,  this  makes  sense:  for  example,  the  first  action 
does  not  interfere  with  a  parallel  fourth  action  accessing  x ,  while  the  second  and 
third  actions  do.  However,  axiomatically,  it  does  not  make  much  sense  since  the 
predicate  true  is  normally  considered  equivalent  with  predicates  such  as 

Another  issue  is  the  syntax  of  choices  and  loops.  The  idea  to  combine  them  in 
a  single  do . . .  od  originally  arose  from  translating  them  into  a  process  algebra 
which  contains  only  recursion  but  no  iteration.  For  instance,  the  program  fragment 
do  a\  \  exit  □  repeat  od  can  be  translated  into  the  recursive  process  algebraic 
expression  X  =  (a\  □  (az*,  X))  [1 1].  It  turns  out  that  with  a  well-behaved  (in  terms 
of  its  net  semantics)  process  algebraic  iteration  construct  such  as  [£i  *  £2  *  £3], 
where  E\  is  the  initialisation,  £2  is  the  body  of  the  repetition  and  £3  is  finalisation, 
the  semantics  of  the  general  do ...  od  is  awkward  because  E\  must  be  assumed  to 
be  a  silent  action  in  general.  Other  iteration  constructs  such  as  [£2  *  £3]  (£2  being 
the  body  and  £3  being  finalisation)  or  more  simply  [£2]  (denoting  E\  in  terms 
of  regular  expressions)  are  more  convenient  for  giving  the  semantics  of  the  loop 
construct,  but  are  less  well-behaved  in  terms  of  their  Petri  net  semantics. 

To  avoid  these  problems,  at  the  present  time  I  favour  imposing  on  B(PN )2  the  same 
restriction  that  is  already  built  in  the  guarded  command  notation  and  that  leads  to 
well-formed  [1]  nets:  that  every  alternative  of  a  loop  construct  must  begin  with  a 
plain  action  which  is  not  itself  another  loop.  In  the  present  version  of  B(PN )2,  this 
is  implemented  by  the  enter  clause  which  separates  the  initialisation  of  a  do ...  od 
construct  from  its  body  (see  figure  3  below  for  an  example). 

Another  issue  is  the  semantics  of  multiple  communications  such  as 


(c!=5aJ!=3)  ||  <c?=jc'ac?=/), 


where  c  and  d  are  channels  of  capacity  0  and  x  and  y  are  variables.  In  the  pre¬ 
sent  implementation,  this  parallel  command  leads  to  a  deadlock,  which  is  due  to 
the  underlying  semantic  ideas  stipulating  that  a  single  channel  should  be  sufficient 
(and  necessary)  for  creating  a  handshake  synchronisation  out  of  two  separate  ato¬ 
mic  actions.  This  approach  has  been  found  too  restrictive  in  some  contexts  and 
generalisations  have  been  proposed  [18,  25]. 
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3.2  The  compositional  Petri  net  model  underlying  B(PN)2 

In  our  approach,  two  important  ideas  in  giving  Petri  net  semantics  to  a  language  such 
as  B(PN)2  are,  firstly,  that  it  should  be  compositional  and,  secondly,  that  it  should 
be  transparent.  Transparency  means  that  the  translation  should  introduce  neither  too 
many  auxiliary  places  and/or  transitions  nor  additional  behaviour.  Compositionality 
means  that  every  program  object  -  a  variable  declaration,  an  atomic  action  or  a  block, 
...  -should  be  describable  by  a  stand-alone  Petri  net,  and  that  the  set  of  all  these  Petri 
net  ingredients  can  be  combined  at  the  Petri  net  level  by  operations  which  match 
the  syntactic  operators  used  in  the  program  to  combine  its  ingredients  (variable 
declarations,  atomic  actions,  inner  blocks, ...). 

Robin  Milner  has  already  shown  in  both  his  books  [49,  50]  how  such  a  translation 
can  be  achieved  compositionally  at  the  process  algebra  level.  His  approach  is, 
however,  lacking  in  transparency  (in  the  above  sense)  because  of  the  way  of  CCS 
is  constructed.  For  example,  sequential  composition  has  to  be  implemented  in  a 
roundabout  way,  which  is  not  too  complicated  conceptually,  but  adds  complexity 
to  the  resulting  expression.  As  another  example,  atomic  actions  such  as  (x:=y), 
where  x  and  y  are  declared  in  different  blocks,  lead  to  overhead  in  the  translation 
and  hence  also  in  CCS-based  analysis  of  the  properties  of  programs  containing  such 
actions. 

The  box  algebra  [3]  has  been  devised  as  a  modification  and  (partial)  extension  of 
CCS  in  order  to  avoid  such  overheads.  This  algebra  has  been  defined  together  with 
a  direct  translation  into  a  class  of  labelled  1-safe  elementary  Petri  nets  called  boxes. 
PEP  originally  used  this  translation  in  order  to  create  a  net  from  a  program:  first 
an  expression  of  the  algebra  is  created  from  the  program,  and  then  a  box  is  created 
from  the  expression.  In  practice,  however,  this  approach  is  of  limited  usefulness 
because  the  resulting  nets  are  usually  very  large;  they  are  necessarily  so  large,  of 
course,  because  all  information  contained  in  the  program  (in  particular,  variable 
types)  needs  to  be  stored  in  Petri  net  form.  Already  the  expressions,  which  are 
used  as  intermediate  translation  results  between  programs  and  nets,  tend  to  become 
very  large  in  general.  (However,  they  provide  a  possible  interface  to  toois  such  as 
the  Edinburgh  Concurrency  Work  Bench  [64].)  The  advantage  of  this  approach  is 
that  the  full  set  of  Petri  net  analysis  methods  -  described  below  in  section  4  -  is 
applicable  to  the  result  of  the  translation. 

In  practice,  it  turns  out  that  one  would  wish  to  translate  a  program  only  partially  into 
a  net,  or  into  an  abbreviated  net  from  which  the  full  net  can  be  derived  in  a  further 
step  if  desired.  Net  theory  provides  a  class  of  nets  for  just  such  a  purpose:  so-called 
high-level  nets  ([26,  38]  and  others).  However,  in  the  PEP  project  high-level  nets 
could  not  be  used  directly,  because  we  required  all  translations  to  be  compositional. 
Hence  prior  to  using  high-level  nets,  we  needed  to  impose  an  algebra  to  make  the 
box  algebra  operations  available  for  them. 

This  line  of  thought  gave  rise  to  the  model  which  is  now  used  in  PEP:  the  M- 
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net  (modular  net)  model  [6,  7].  M-nets  are  high-level  nets  with  an  additional 
algebra  containing  box  algebra  operations  such  as  choice  composition,  parallel 
composition  and  synchronisation.  It  is  then  possible  to  create  an  M-net  associated 
with  a  B(PN)2  program  by  first  constructing  little  M-nets  corresponding  to  the 
ingredients  (declarations,  atomic  actions  etc.)  of  the  program  and  then  composing 
these  M-nets  in  the  same  way  as  the  ingredients  of  the  program  are  combined.  As  a 
rule,  the  M-net  of  a  program  is  not  significantly  larger  than  the  program  itself  -  but, 
of  course,  it  has  a  set  of  inscriptions  so  as  not  to  lose  information.  The  disadvantage 
of  this  approach  is  that,  even  though  finding  structural  analysis  methods  for  high- 
level  nets  is  presently  a  vigorous  area  of  research  (I  mention  e.g.  [60]),  there  exist 
very  few  general  methods  for  analysing  a  high-level  net  short  of  unfolding  it,  i.e. 
creating  its  associated  elementary  net  (which,  of  course,  beats  the  idea  of  saving 
space). 

The  existing  version  of  PEP  does  not  exploit  the  compositionality  which  is  built  in 
the  semantics.  More  pessimistically,  while  it  is  clear  that  compositionality  is  vital 
for  semantics  such  as  Hoare-style  axiomatic  semantics  [35]  or  weakest  precondition 
semantics  [19],  it  is  not  yet  clear  whether  compositionality  of  Petri  net  semantics 
can  be  exploited  in  any  significant  way  in  proofs  of  programs.  The  current  version  of 
PEP  concentrates  much  more  on  what  I  have  called  transparency,  i.e.  on  minimising 
the  nets  that  are  created,  and  on  applying  analysis  algorithms  to  these  objects. 

3.3  PEP’s  (current)  ways  of  specifying  properties 

PEP  supports  various  ways  of  specifying  properties:  directly  (see  section  4.1);  by  a 
simple  branching-time  logic  (on  which  the  analysis  algorithms  described  in  sections 
4.2  and  4.3  are  based);  and  in  a  linear-time  notation  (for  the  semidecision  analysis 
described  in  section  4.5).  The  reader  will  notice  that  PEP  does  not  (yet)  support 
a  truly  strong  logic,  i.e.  that  some  desirable  properties  may  not  be  expressible, 
and  hence  not  checkable  (in  the  present  version).  This  is  due  to  a  conscious  effort 
of  getting  as  static  (and  hence,  hopefully,  as  efficient)  as  possible  algorithms  for 
a  small  (yet  not  uninteresting)  logic  first,  before  extending  them  at  a  later  stage. 
It  is  understood  that  in  a  further  development  of  the  system,  if  PEP’s  indigenous 
algorithms  turn  out  to  be  non-generalisable  or  not  easily  generalisable,  it  will  be 
attempted  to  complement  the  existing  techniques  by  more  traditional  state-graph- 
based  algorithms. 

The  language  of  the  branching-time  logic,  call  it  BL,  refers  to  a  given  1-safe  net  N 
with  place  set  5={ji,  . . . ,  s„}.  An  atomic  formula  is  either  the  constant  true  or  a 
place  name  Sj.  If  0,  <p\  and  02  are  formulae,  then  so  are  ->0, 0i  V02  and  O0.  The 
semantics  of  this  logic  refers  to  pairs  (N,  M)  where  N  is  a  net  as  above  and  M  is  a 
marking  of  N.  By  definition,  (N ,  M)  always  satisfies  true;  (N,  M )  satisfies  s,  iff 
M(si)> 0;  (N,  M )  satisfies  ->0  iff  it  does  not  satisfy  0;  ( N ,  M)  satisfies  <f>\  v  02  iff 
it  satisfies  <f>\  or  02;  and  ( N ,  M )  satisfies  O0  iff  there  is  a  successor  marking  M'  of 
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M  such  that  (N,  M  )  satisfies  0.  There  are  derived  operators,  such  as  A  =  — >v-% 
□  =  -!<>->,  etc. 

As  usual,  this  simple  definition  is  computationally  uninteresting,  because  using  it, 
the  evaluation  of  a  formula  (p  for  any  given  (N,  M )  involves  the  (computation  and 
the)  traversal  of  the  state  graph,  possibly  many  times,  depending  on  the  depth  of 
nesting  of  the  diamond  operators  O.  In  section  4,  more  efficient  algorithms  are 
described.  Examples  of  properties  that  can  be  expressed  are: 

□0(Vs€*r:  s )  (liveness  of  transition  t) 

ODsj  (token  trappable  on  s,  ) 

0(si  a-<J2A.  .  .A ->$„)  (reachability  of  a  marking, 

in  this  case  (1, 0, . . . ,  0)  e  N|S|). 

Eventuality  properties  cannot,  as  a  rule,  be  expressed  in  BL. 

A  slight  change  in  the  syntax  of  the  logic  makes  formulae  refer  to  programs  rather 
than  to  nets:  given  a  program,  we  may  allow  atomic  formulae  of  the  form  true  or 
x=v  (where  x  is  a  variable  and  v  is  a  value)  or  at  p  (where  p  is  a  control  point). 
When  the  program  is  translated  into  a  corresponding  1-safe  net,  a  program  formula 
may  automatically  be  translated  into  a  corresponding  formula  referring  to  that  net, 
because  every  term  of  the  form  x=v  or  at  p  refers  to  a  place  of  the  net.  Moreover, 
the  formula  is  true  of  the  program  in  its  initial  state  if  and  only  if  the  corresponding 
formula  is  true  of  the  net  and  its  corresponding  initial  marking.  For  example,  in 
figure  2,  the  formula  O  (y=3  a  z=3)  is  true,  because  there  exists  an  execution  in 
which  both  y  and  z  are  set  to  the  value  3. 

4  PEP’s  verification  components 

PEP  attempts  to  do  its  verification  business  as  statically  as  possible,  e.g.  by  running 
algorithms  on  the  structure  of  a  net  (or  a  program)  to  deduce  properties  of  the 
net’s  (or  the  program’s)  behaviour.  Five  classes  of  verification  techniques  can  be 
distinguished  in  PEP:  dedicated  analysis,  restricted  static  model-checking,  model¬ 
checking  based  on  occurrence  nets,  interfacing  to  other  systems  such  as  INA,  and 
analysis  based  on  linear  algebra.  Sections  4.1  to  4.5  describe  these  techniques  in 
turn. 

4.1  Dedicated  analysis  algorithms 

In  its  initial  phase,  PEP  was  used  as  a  testbed  for  students  to  implement  static  analysis 
algorithms.  For  instance,  [17]  describes  a  wealth  of  theorems  giving  (often  exact) 
structural  conditions  for  a  variety  of  behavioural  properties  of  certain  subclasses  of 
Petri  nets.  In  PEP,  nets  may  first  be  checked  as  to  whether  or  not  they  belong  to 
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such  a  subclass,  and  if  so,  one  of  the  structural  algorithms  can  be  invoked  to  test 
a  corresponding  property.  The  test  of  belonging  to  a  subclass  is  split  into  several 
subtests:  ‘is  the  net  free-choice?’,  ‘is  it  a  T-system?’,  ‘is  it  rc-bounded’  (this  test 
can  be  neglected  if  the  net  comes  from  a  program,  since  it  is  then  1 -bounded  by 
construction),  ‘is  it  live  if  bounded?’  and  ‘is  it  deadlock-free?’  (using  McMillan’s 
algorithm). 

The  boundedness  test  involves  constructing  the  state  graph,  and  the  corresponding 
algorithm  of  PEP  is  therefore  (and  because  it  has  not  been  optimised)  rather  slow. 
Nets  coming  from  programs  are  nearly  always  non-free-choice,  and  hence  the  im¬ 
plemented  algorithms  for  free-choice  nets  are  not  useful  for  such  nets.  In  fact,  for 
these  reasons,  this  line  of  development  of  PEP  has  been  all  but  discontinued,  but 
nevertheless,  it  may  still  serve  a  useful  purpose  as  a  testbed  for  new  algorithms. 
The  test  for  boundedness  is  faster  using  the  optimised  algorithms  of  INA  described 
below  in  section  4.4. 

4.2  Static  model-checking  for  persistent  nets 

The  essential  idea  of  this  model-checker  [4]  can  be  described  as  follows.  Let  a 
net  N  with  an  initial  marking  M°  and  a  formula  <p  of  the  temporal  logic  BL  be 
given,  such  that  ( N ,  M° )  is  a  safe  T-system;  the  problem  is  to  decide  whether  or  not 
(A,  M°)  satisfies  4>.  To  check  this,  consider  an  innermost  subformula  of  the  form 
O (/ 1  a  . . .  a lm)  of  4>,  where  each  /,*  is  a  literal,  i.e.  either  si  or  -i $,*  for  some  place 
Si.  Exploiting  the  persistence  of  (iV,  A/0),  it  can  be  shown  that  this  subformula  can 
be  equivalently  replaced  by  a  formula  of  the  form  eT:  U<ki,  where  T  is  the  set 
of  transitions  of  N  and  the  ki  arise  as  solutions  of  a  linear  programming  problem 
which  encodes  the  following  question: 

‘What  is  the  maximal  number  of  times  that  tv  can  be  executed  such 
that  the  resulting  sequence  (there  is  only  one  up  to  equivalent  permu¬ 
tations  by  persistence)  does  not  lose  the  property  of  being  extendable 
to  a  sequence  leading  to  a  marking  such  that  all  of  s\-sn  are  mar¬ 
ked/unmarked,  depending  on  whether  /,  is  $,/-»$/?’ 

Replacing  0(/j  A . . .  A lm)  by  Vr,  eT :  *,•<£,•  is  satisfiability-invariant,  i.e.  the  resul¬ 
ting  formula  is  valid  for  ( N ,  M° )  if  and  only  if  the  original  formula  was.  It  is  now  a 
routine  matter  to  apply  this  procedure  repeatedly  until  no  temporal  operator  O  (nor 
□)  are  left  in  the  formula,  and  temporal-operator-free  formulae  can  be  evaluated 
directly  on  the  initial  state  without  computing  the  state  graph.  (In  order  to  apply 
this  procedure,  the  logic  has  to  be  extended  -  temporarily  -  by  atomic  formulae  of 
the  form  t<k ,  with  k  being  an  element  of  the  set  {— l}UNU{+oo};  but  this  is  not  a 
problem  [4].) 

In  PEP,  this  algorithm  has  been  implemented  for  safe  T-systems  [65].  Its  perfor¬ 
mance  can  be  startling  for  people  who  are  used  to  check  other  algorithms  on  very 
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concurrent  systems,  such  as  the  CCS  expression  ai|| . . .  \\an  which  generates  2n 
reachable  states  (or,  to  mention  a  less  trivial  example,  Milner’s  well-known  sche¬ 
duler  [50],  which  is  also  a  T-system).  PEP  checks  formulae  on  such  systems  rather 
quickly. 

The  model-checking  algorithm  described  in  this  section  has  an  interesting  charac¬ 
teristic  property:  it  shifts  complexity  away  from  one  of  its  input  parameters  (the 
model)  towards  the  other  input  parameter  (the  formula).  Since  our  temporal  logic 
includes  the  propositional  calculus,  any  model  checker  is  bound  to  be  exponential 
in  the  size  of  the  net  (note:  this  is  the  net,  not  its  state  graph!)  or  in  the  length  of 
the  formula.  Interleaving-based  model-checking  algorithms  are  exponential  in  the 
size  of  the  net  (because  they  generate  the  state  graph)  and  linear  in  the  length  of 
the  formula.  The  algorithm  described  in  this  section  is  exponential  in  the  length 
of  the  formula  (because  it  has  to  compute  disjunctive  normal  forms  repeatedly  in 
order  to  obtain  subformulae  of  the  form  <>(/!  a.  . .  A/m)),  but  is  provably  polynomial 
in  the  size  of  the  net.  We  consider  this  a  desirable  property  of  a  model-checking 
algorithm:  the  net  (and  a  fortiori  its  state  graph)  will  be  very  large,  in  most  cases, 
while  the  interesting  formulae  will  -  in  most  cases  -  be  of  limited  size1  and,  in 
particular,  of  limited  nesting  depth. 

4.3  Model-checking  on  finite  prefices  of  occurrence  nets 

Javier  Esparza’s  model-checking  algorithm  [21]  can  be  viewed  as  a  generalisation  of 
the  algorithm  described  in  section  4.2.  The  generalisation  consists  in  allowing  any 
safe  Petri  net,  rather  than  just  persistent  ones,  as  input  while  retaining  essentially  the 
same  logic,  BL.  The  algorithm  itself  had  to  be  extended  and  modified  considerably, 
but  Esparza  did  this  in  such  a  way  that  one  of  its  main  properties  -  viz.,  shifting 
algorithmic  complexity  from  the  size  of  the  net  to  the  size  of  the  formula  -  remains 
as  much  as  possible  intact. 

Some  form  of  representing  behaviour  turns  out  to  be  necessary,  and  Esparza  has 
shown  that  it  is  in  essence  sufficient  to  keep  knowledge  about  the  maximal  nonse¬ 
quential  processes  (i.e.  the  maximal  partial  order  behaviours  [5,  28])  of  the  input 
net.  (If  the  net  is  persistent,  then  there  is  only  one  such  process.)  A  succinct  way 
of  representing  all  processes  of  the  net  is  by  its  occurrence  net  [20,  51],  which  can 
loosely  be  described  as  a  branching  structure  with  processes  as  ‘paths’;  the  occur¬ 
rence  net  of  a  net  is  to  the  set  of  its  processes  what  the  execution  tree  of  a  net  is  to 
the  set  of  its  interleavings. 

Unfortunately,  the  occurrence  net  of  a  net  is,  in  general,  infinite.  Fortunately,  there 
is  a  way  (detected  by  McMillan  [43])  of  defining  a  ‘sufficiently  large’  prefix  of 
the  occurrence  net  -  where  ‘sufficiently  large’  means  that  it  contains  implicitly 
every  reachable  marking.  That  prefix  is  always  finite.  Esparza  has  shown  that 

‘Although  we  will  consider  an  exception  in  section  5. 
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not  only  all  reachable  markings,  but  also  the  maximal  processes,  are  recoverable 
from  that  finite  prefix.  Using  this  finite  prefix,  model-checking  can  be  done  in  a 
similar  way  as  described  above,  i.e.  by  replacing  innermost  subformulae  of  the 
form  0(/i  A . . .  Alm)  by  suitable  conjunctions  not  involving  O.  However,  the  actual 
algorithm  is  significantly  more  complicated,  and  it  involves  the  reconstruction  of 
the  relevant  (maximal)  processes  from  the  finite  prefix  using  a  continuous  ‘shift’ 
operator. 

Theoretical  results  about  this  model -checking  algorithm  are,  (1):  that  in  the  special 
case  of  safe  persistent  systems  it  has  polynomial  complexity  in  the  size  of  the  prefix, 
and  (2):  that  for  a  certain  class  of  safe  persistent  systems,  called  safe  conflict-free 
systems,  it  has  polynomial  complexity  in  the  size  of  the  net.  A  corollary  of  ( 1 ) 
and  (2)  is  that  in  the  special  case  of  safe  T-systems,  the  runtime  of  this  algorithm 
is  provably  of  the  same  complexity  as  that  of  the  previously  described  algorithm 
(by  orders  of  magnitude).  Moreover,  given  that  there  are  examples  where  the  finite 
prefix  is  an  order  of  magnitude  smaller  than  the  state  graph,  this  algorithm  performs 
better  than  ones  based  on  the  latter. 


begin  var  h:{  1,2}  init  1;  var  in\,in2  :  (false,  true)  init  false; 
do  (true)  enter  (i«i'=true); 

do  (true)  enter  (i«2=false);  exit 

D  (/n2=true); 

do  (true)  enter  {h=2);  (ini'=false); 

(h= 1);  (j'ni'=true); 
exit 

□  (h= 1);  exit 

od;  repeat 
od; 

%  cs  i  :  Critical  Section  1 
(h'= 2);  (ini'=false);  repeat 
od 

||  do  ...  analogous  (exchanging  1  and  2)  ...  od 

end 

Figure  3:  Dekker’s  algorithm  in  B(PN)2  notation 

As  before,  the  algorithm  performs  particularly  well  for  systems  with  lots  of  con¬ 
currency  and  little  choice,  such  as  ai|| . . .  ||a„.  By  contrast,  in  a  typical  system 
without  concurrency  and  with  lots  of  choice,  the  finite  prefix  may  even  be  exponen¬ 
tial  whereas  the  state  graph  is  only  polynomial  in  size.  Consider,  for  example,  the 
process  algebraic  term  (ai+bi);  {a2+b2)\ (an+bn).  The  Petri  net  of  this  term 
generates  a  state  graph  of  size  0(n)  and  a  finite  prefix  of  size  0(2"),  because  after 
each  i’th  choice,  the  rest  of  the  occurrence  net  gets  duplicated.  The  paper  [22],  ho¬ 
wever,  describes  an  improvement  of  McMillan’s  unfolding  algorithm  which  allows 
the  calculation  of  optimised  finite  prefixes,  such  that  a  further  result  holds,  (3):  the 
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optimised  finite  prefix  is  always  of  size  less  or  equal  to  the  state  graph  (in  terms  of 
orders  of  magnitude),  and,  moreover,  the  previous  results  (1)  and  (2)  still  hold  for 
the  optimised  prefix.  This  optimisation  is  implemented  in  the  current  version  of 
PEP. 

After  implementing  the  algorithm  in  PEP,  it  was  tested  on  various  examples.  For 
instance,  at  one  point  of  the  development,  we  tested  PEP’s  model-checking  algo¬ 
rithm  on  Dekker’s  protocol  for  mutual  exclusion  (see  e.g.  [1]).  This  protocol  is 
reproduced  in  figure  3  in  B(PN)2  notation.2  At  that  point  in  time,  we  checked  the 
following  formulae: 


->  0(at  c.vi  a  at  csi) 

□  (at  «|  =>  (O  at  cs2)) 

□  (at«2  =»  (Oat c$i )) 
O  at  cs\ 

O  at  cs2 

□  O  (at  «i) 

□  O  (at  cs2) 

□  O  (at  cj]  v  at  cs2). 


obtaining,  respectively, 


true 

true 

true 

true 

true 

false 

false 

false. 


This  result  is  fine  for  the  first  five  formulae  but  not  for  the  last  three.  Burkhard 
Graves  analysed  the  problem  and  traced  it  back  to  an  error  in  Javier  Esparza’s 
paper.  It  is  not  possible  to  describe  the  full  details  in  this  paper,  but  the  essential 
point  is  that  the  finite  prefix  as  defined  by  McMillan  is  ‘too  small’  for  the  ‘shift’ 
operator  to  function  in  the  way  it  is  supposed  to  function.  It  is  possible  to  fix  this 
problem  by  creating  a  finite  prefix  which  is  sufficiently  large.  This  solution  is  easy 
to  describe  and  recovers  the  theoretical  results  (1)  and  (2)  of  Esparza’s  paper,  but  it 
slows  down  the  entire  model-checker  very  significantly.  It  is  only  now  (July  1996) 
that  Burkhard  Graves  hopes  to  have  found  a  way  of  enlarging  the  finite  prefix  in  a 
minimal  way  while  ensuring  that  the  ‘shift’  operator  works  as  it  should  and,  at  the 
same  time,  retaining  the  efficiency  of  the  algorithm.  This  work  will  be  reported  in 
[31]. 


4.4  INA  interface 

There  have  been  recent  efforts  to  combine  PEP  with  Peter  Starke’s  analysis  tool  INA 
(Integrated  Net  Analyser)  [62].  Thanks  mainly  to  work  by  Lutz  Pogrell  [55],  the 
present  version  of  PEP  contains  a  user-transparent  interface  between  the  two  tools 
that  were  originally  developed  independently  of  each  other.  INA  can  now  be  called 
from  the  same  graphical  interface,  and  nets  that  are  input  by  PEP  can  be  analysed  by 
INA.  In  this  paper,  I  refrain  from  describing  the  interface,  but  I  mention  the  analysis 
capabilities  of  INA  just  in  order  to  indicate  the  added  capabilities  of  the  combined 
tool,  PEP/INA.  The  following  is  a  sample,  insignificantly  shortened,  output  of  INA, 

2We  use  (h= 2)  as  an  abbreviation  of  (h=2=h'),  and  we  show  this  algorithm  here  explicitly  just 
to  give  an  example  for  the  notation. 
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referring  to  a  random  net  (figure  22  of  [2]),  reproduced  here  by  courtesy  of  Peter 
Starke. 

Start  of  INA  output: 

Current  net  options  are:  token  type  -  black  (for  place/transition  nets);  time 
option  -  intervals;  elements  -  transitions;  firing  rule  -  safe ;  priorities  -  not 
to  be  used ;  strategy  -  single  transitions. 

Information  on  elementary  structural  properties:  the  net  has  no  bad  reachable 
states;  the  net  is  not  statically  conflict  free;  the  net  is  pure;  the  net  has 
transitions  without  pre-places;  the  net  is  not  coverable  by  state -machines; 
the  net  is  not  strongly  connected;  the  net  is  not  covered  by  semipositive  P- 
invariants;  the  net  has  transitions  without  post-place;  the  net  is  ordinary , 
homogeneous ,  not  conservative,  not  subconservative ;  not  a  state  machine, 
not  free  choice,  not  extended  free  choice,  not  extended  simple,  not  marked, 
not  marked  with  exactly  one  token,  not  a  marked  graph,  connected;  the  net 
has  a  non-blocking  multiplicity,  no  nonempty  clean  trap,  no  places  without 
pre-transition,  no  places  without  post-transition;  the  maximal  in/out-degree 
is  4. 

Computation  of  the  reachability  graph.  Current  analysis  options  are:  no 
depth  restriction;  do  not  print  all  states ;  print  the  dead  states;  do  not  print  the 
bad  states;  no  reachability  /  cove rability  test.  Number  of  states  generated: 

642. 

The  net  has  no  dead  transitions  at  the  initial  marking;  the  net  is  bounded;  the 
net  is  safe;  the  net  has  no  dead  reachable  states. 

Current  graph  analysis  options  are:  no  computation  of  dynamic  conflicts;  no 
computation  of  distances;  no  computation  of  circuits;  computation  of  terminal 
SC-components ;  resetability;  liveness  test. 

Graph  analysis:  The  initial  state  is  reproducible. 

Computation  of  the  terminal  SC-components.  The  net  is  reversible  ( resetable), 
covered  by  semipositive  T-invariants ,  live,  live  if  dead  transitions  are  ignored, 
live  and  safe,  has  no  time  deadlocks. 

End  of  INA  output. 

INA’s  computation  of  the  reachability  graph  (state  graph)  is  very  fast.  Moreover, 
INA  has  capabilities  for  exploiting  the  stubborn-set  method  by  Valmari  [67]  and 
for  detecting  (and  exploiting)  state  graph  symmetries  [63].  INA  has  a  small  in-built 
expert  system  which  allows  the  conclusions  of  some  known  theorems  to  be  added 
to  the  set  of  analysis  results,  provided  the  premises  leading  to  those  conclusions 
have  already  been  verified  for  the  particular  net  under  consideration. 

4.5  Linear-algebraic  semidecision  analysis 

PEP  offers  a  semidecision  verification  method  which  is  based  on  a  linear  upper 
approximation  of  the  state  space.  The  theory  of  this  method  is  described  in  [47]  and 
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briefly  in  [48],  The  method  extracts  from  the  description  of  the  net  and  its  initial 
marking,  in  linear  time,  a  set  of  linear  constraints  L  that  every  reachable  marking 
must  satisfy.  Thus,  the  solutions,  of  L  are  a  superset  of  the  reachable  markings. 
In  order  to  make  use  of  L  for  verification,  a  new  set  Lp  of  linear  constraints  is 
added  to  it  which  specify  the  markings  that  do  not  satisfy  a  desirable  property  P. 
Then,  linear  programming  is  used  to  solve  the  system  L  U  Lp ;  if  the  system  has  no 
solution,  every  reachable  marking  satisfies  P. 

The  set  of  constraints  L  is  actually  the  union  of  two  subsets  L\  and  Lj.  L\  comes 
from  the  state  equation  and  has  been  known  for  many  years.  The  upper  approxima¬ 
tion  of  the  state  space  that  can  be  derived  from  L\  is  often  rough  and  insufficient  to 
prove  many  properties.  The  main  contribution  of  [47]  is  the  definition  of  L2,  a  new 
set  of  constraints  derived  from  the  traps  of  the  net. 

Presently  there  exist  semidecision  algorithms  for  deadlock-freenes  (yielding  either 
‘deadlock-free’  or  ‘possibly  not  deadlock-free,  with  marking  . . .  being  potential 
deadlock  marking’  as  results)  and  for  the  reachability  of  a  marking  or  a  partially 
specified  marking. 

Semidecision  algorithms,  in  my  opinion,  provide  good  compromises  between  the 
inherent  algorithmic  complexity  of  full  automated  verification  and  the  desire  to 
have  computer-assistance  during  validation.  Even  if  such  an  algorithm  yields  an 
indecisive  answer,  this  may  still  help  the  user.  Another  role  of  automatic  verifica¬ 
tion  is  in  prototyping:  typically,  a  program  is  verified  on  a  small  data  domain  to 
gain  confidence  (or  not)  for  the  case  of  arbitrarily  large  domains,  when  automatic 
verification  fails  and,  if  any,  manual  verification  prevails. 


5  Performance  results 

PEP  is  both  a  general  model-checker  and  a  specific  Petri  net  tool.  Hence,  its 
performance  can  be  compared  with  other  model-checkers  and  with  other  specific 
net  tools.  I  report  on  two  such  comparisons:  one  done  by  Stefan  Romer*using  an 
article  by  James  C.  Corbett  [14]  and  one  carried  out  by  Monika  Heiner  and  Peter 
Deussen  as  described  in  [33]. 

Corbett  compares  existing  systems  (SPIN  [36],  SPIN  plus  Partial  Orders  [53],  SMV 
[44]  and  INCA  [15])  on  a  series  of  examples,  using  deadlock  detection  as  a  com¬ 
mon  property  to  be  checked  on  all  examples  and  all  systems.  Stefan  Romer  of  the 
Technische  Universitat  Munchen  translated  the  examples  into  PEP  input  and  mea¬ 
sured  the  times  for  checking  the  same  property  (deadlock  detection)  using  PEP’s 
algorithm.  It  so  happens  that  deadlock-freeness  is  one  of  the  properties  which  can 
be  expressed  in  BL,  but  lead  to  very  large  formulae.3  Because  of  the  importance 

3 For  a  net  with  about  50  transitions,  Bemd  Grahlmann  has  estimated  that  deadlock-freeness  would 
lead  to  disjunctive  normal  forms  -  which  arise  necessarily  as  intermediate  stages  of  the  verification 
-  that  are  about  4  GB  long. 
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of  deadlock-freeness,  therefore,  PEP  implements  a  dedicated  algorithm  (namely, 
McMillan’s)  to  check  this,  which  uses  and  exploits  the  finite  (optimised)  prefix. 
Hence  this  comparison  is  not  really  about  the  general  model  checking  algorithm  of 
PEP  but  about  the  dedicated  deadlock-detection  algorithm. 

Table  1  -  reproduced  here  by  courtesy  of  Stefan  Romer  -  gives  the  preliminary 
results  of  the  experiment.  The  ‘P(size)’  (Problem)  column  refers  to  the  set  of 
examples  given  in  Corbett’s  paper.  The  sets  S,  T  and  5,  E  refer  to  the  places  and 
transitions  of  the  original  net  and  of  the  finite  prefix,  respectively.4  The  ‘Cuts’ 
column  refers  to  the  set  of  cutoff  events  (used  by  the  algorithm  calculating  the  finite 
prefix).  The  ‘F-prefix’  and  ‘Check’  columns  give  the  times  (in  seconds)  measured 
for  calculating  the  finite  prefix  and  for  checking  the  deadlock-freeness  property, 
respectively.  The  ‘C’  (Compare)  column  gives  a  very  crude  indication  of  how 
PEP’s  performance  relates  to  the  performance  of  the  other  systems  described  in 
Corbett’s  paper;  f  stands  for  ‘better’,  i  stands  for  ‘worse’  and  -  stands  for  ‘not 
applicable’  (mainly  because  the  other  systems  did  not  give  results).  The  results 
contained  in  table  1  have  to  be  read  with  a  pinch  of  salt,  because  it  was  not  possible 
to  reproduce  exactly  the  same  hardware  environment  as  used  by  Corbett  for  his 
comparison.  To  compare  memory  usage,  it  is  necessary  to  look  at  the  columns 
‘States’  and  ‘|£|\  It  must  be  mentioned  also  that  we  did  not  check  the  examples 
themselves;  Stefan  Romer  just  received  files  from  Corbett  which  he  used  as  input 
for  PEP.5  We  are  presently  in  the  process  of  repeating  the  comparisons  on  a  more 
uniform  hardware  platform. 

The  experiment  gives  a  mixed  result  for  PEP:  for  some  examples  it  performs  better 
than  the  other  model-checkers,  for  other  examples  it  performs  worse.  In  the  light 
of  the  theory  explained  above,  PEP  is  at  its  best  when  there  is  a  lot  of  concurrency 
but  very  little  choice,  and  performs  comparatively  badly  in  the  other  extreme,  when 
there  is  a  lot  of  choice  and  little  concurrency.  (In  the  majority  of  ‘real’  cases,  there 
would  be  a  good  mix  of  both  concurrency  and  choice,  which  PEP,  as  well  as  any 
other  automatic  model-checker,  will  have  difficulty  in  coming  to  grips  with.) 

The  authors  of  [33]  have  tested  three  specifically  Petri-net-oriented  analysis  sy¬ 
stems,  INA  [62],  PROD  [66]  and  PEP,  on  a  single  common  example  and  a  series 
of  properties.  The  example  concerns  an  industrial  production  cell  with  six  com¬ 
ponents:  two  conveyor  belts,  a  rotatable  robot  equipped  with  two  extendable  arms, 
an  elevating  rotatable  table,  a  press  and  a  travelling  crane.  This  case  study  has 
recently  been  used  in  various  (German)  projects  as  a  reference  example  on  which 
various  methods,  not  just  Petri  nets,  can  be  tested  and  compared  [40]. 

I  will  not  repeat  the  experimental  results  reported  in  [33],  except  for  mentioning 
that  the  speed  of  checking  a  property  is  not  unfavourable  towards  PEP,  whenever 

4Note  that  the  ‘transitions’  (i.e.  |T|)  column  does  not  refer  to  the  transitions  of  the  state  graph. 
Indeed,  the  number  of  these  transitions  has  not  been  counted  as  they  are  irrelevant  for  the  algorithms. 

5This  has  led  to  strange  effects  such  as  a  net  with  1047  places  and  5633  transitions  but  only  125 
reachable  markings. 
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P(size) 

States 

\S\ 

iri 

i*i 

\E\ 

Cuts 

F-prefix 

Check 

C 

CYCL(9) 

7423 

71 

53 

172 

11 

10 

0.05 

2.18 

_ 

CYCL(12) 

74264 

95 

71 

232 

104 

13 

0.13 

31.18 

- 

DAC(12) 

14334 

84 

70 

260 

146 

0 

0.12 

0.0 

t 

DAC(15) 

114686 

105 

88 

371 

206 

0 

0.23 

0.0 

t 

DP(IO) 

48897 

60 

40 

580 

280 

90 

0.30 

0.92 

t 

DP(12) 

- 

72 

48 

840 

408 

132 

0.62 

2.97 

t 

DPD(6) 

19861 

54 

54 

3786 

1892 

499 

8.92 

103.56 

4 

DPD(7) 

109965 

63 

63 

8630 

4314 

1129 

43.13 

1266.08 

i 

DPFM(8) 

49 

87 

321 

426 

209 

162 

0.08 

0.68 

DPFM(ll) 

125 

1047 

5633 

2433 

1211 

1012 

1.27 

98.30 

- 

DPH(6) 

16897 

57 

97 

14474 

7231 

3377 

85.78 

10344.9 

— 

DPH(7) 

79927 

66 

121 

- 

- 

- 

- 

_ 

_ 

ELEV(3) 

7121 

327 

783 

7398 

3895 

1629 

23.75 

496.10 

i 

ELEV(4) 

43440 

736 

1939 

32354 

16935 

7337 

417.32 

>13463 

i 

FURN(3) 

30861 

53 

99 

34505 

20770 

13837 

330.04 

>49927 

i 

FURN(4) 

214757 

66 

139 

- 

- 

- 

_ 

- 

i 

GASN(4) 

14847 

258 

465 

15928 

7965 

2876 

115.93 

19370.2 

i 

GASN(5) 

115184 

428 

841 

- 

- 

- 

- 

ir 

GASQ(3) 

1705 

284 

475 

2593 

1297 

490 

3.37 

102.0 

GASQ(4) 

15431 

1428 

2705 

19864 

9933 

4060 

177.56 

35342.2 

— 

HART(75) 

153 

377 

227 

529 

302 

1 

1.13 

0.22 

t 

HART(IOO) 

203 

502 

302 

704 

402 

1 

2.20 

0.32 

t 

KEY(4) 

44820 

164 

174 

135556 

67775 

32081 

8811.0 

_ 

4- 

KEY(5) 

- 

199 

215 

- 

- 

- 

- 

— 

I 

MMGT(3) 

7703 

122 

172 

11575 

5841 

2529 

51.56 

3166.6 

i 

MMGT(4) 

66309 

158 

232 

92940 

46902 

20957 

7509.80 

_ 

i 

OVER(4) 

4175 

71 

74 

1561 

797 

240 

1.65 

7.52 

i 

OVER(5) 

33460 

90 

95 

7388 

3761 

1251 

30.70 

618.39 

4- 

RING(7) 

1700 

91 

77 

813 

403 

79 

0.63 

1.20 

t 

RING(9) 

211528 

117 

99 

1599 

795 

137 

2.20 

4.67 

t 

RW(9) 

523 

48 

181 

9272 

4627 

4106 

5.32 

9567.2 

4 

RW(12) 

4110 

63 

313 

98378 

49177 

45069 

316.84 

- 

4. 

SENT(75) 

332 

254 

!  105 

533 

266 

40 

0.93 

1.07 

t 

SENT(IOO) 

382 

329 

130 

608 

291 

40 

1.42 

1.67 

t 

ABP(l) 

113 

43 

95 

337 

167 

56 

0.12 

0.60 

t 

BDS(l) 

36097 

53 

59 

12310 

6330 

3701 

44.83 

6971.3 

4. 

DART(l) 

- 

331 

257 

- 

- 

- 

- 

- 

FTP(l) 

104911 

176 

529 

178077 

89042 

35247 

15645.5 

- 

4 

FTP(2) 

- 

229 

934 

- 

- 

- 

- 

- 

- 

Q(l) 

123597 

163 

194 

16090 

8402 

1173 

220.77 

1125.12 

- 

SPD(l) 

8690 

33 

39 

5317 

3138 

1311 

15.30 

510.7 

4 

Table  1:  Experimental  results  by  Stefan  Romer  (cf.  [14]) 
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Debate  90:  An  Electronic  Discussion  on  True 

Concurrency 


Abstract 

The  following  electronic  correspondence  was  posted  to  the  concurrency 
mailing  list,  moderated  at  the  time  by  Albert  Meyer,  between  October  21 
and  November  19,  1990.  It  has  been  reformatted  for  publication  and 
edited  for  spelling  but  otherwise  is  largely  untouched.  —  Vaughan  Pratt 

To:  prattCcs.Stanford.EDU 
From:  dclCajma.Stanford.EDU 
Subject:  Partially  Ordered  Computations 
Date:  Sun,  21  Oct  90  13:39:23  -0700 

Vaughan, 

In  some  recent  discussions  with  people  funded  by  ONRs  program  on  dis¬ 
tributed  and  realtime  computing,  I  have  found  an  attitude  that 

"sets  of  linear  traces  are  entirely  sufficient  for  analyzing  distributed/concurrent 
computations,  AND  Partial  Orders  are  unnecessary”. 

I  also  notice  that  sets  of  linear  traces  are  the  basis  for  Hoare’s  PROCOS 
project. 

Questions  to  you: 

1.  What  is  your  favorite  simple  example  of  a  system  where  a  partial  order 
representation  of  its  execution  is  superior  to  a  set  of  linear  traces  of  its  execution, 

2.  Would  you  disagree  with  the  ONR  people,  and  how? 

-  David 

To:  dclCanna.stanford.edu 

From:  prattCcs.Stanford.EDU 

Subject:  Re:  Partially  Ordered  Computations 

Date:  21  Oct  90  15:14:37  PDT  (Sun) 

In-Reply-To:  Your  message  of  Sun,  21  Oct  90  13:39:23  -0700. 
<9010212039 . AA07939CAphid.Stanford.EDU> 

The  belief  that  linear  orders  capture  partial  is  predicated  on  several  assump¬ 
tions,  most  of  which  have  to  hold  at  the  same  time  in  order  for  it  to  be  reliable. 
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While  these  assumptions  tend  to  hold  in  very  simple  or  abstract  systems,  they 
all  gradually  fade  away  as  the  systems  you  look  at  get  larger  and  more  concrete. 

Here  are  seven  such  assumptions. 

1.  Fixed  granularity. 

2.  No  variability  of  atomic  events. 

3.  Absence  of  autocurrence. 

4.  Single-poset  processes. 

5.  Race-free. 

6.  Single-observer  model. 

7.  Discrete  time. 

Here  is  the  meaning  of  each  of  these  concepts. 

1.  Variable  granularity  can  arise  in  various  quite  different  ways.  One  way  is 
just  to  look  at  a  supposedly  atomic  event  more  closely  and  resolve  substructure. 
But  another  is  to  take  a  binary  program  whose  specification  treats  it  as  atomic 
(on  the  ground  that  the  vendor  doesn't  want  you  to  assume  anything  about  the 
package)  and  find  when  you  run  it  that  it  has  a  series  of  side  effects  on  your 
system,  that  may  interleave  with  the  side  effects  of  other  such  packages. 

You  might  find  it  interesting  to  look  at  ’’Teams  Can  See  Pomsets”  by  Plotkin 
and  myself  to  see  what  influence  variable  granularity  can  have.  It  turns  out  this 
is  not  the  theoretically  worst  problem  in  our  paper,  #2  below  is  worse,  but  it 
does  have  some  influence. 

You  can  anonymous-ftp  a  preliminary  version  of  this  paper  from 
boole.stanford.edu  on  pub/pp2.*.  [Also  in  this  proceedings,  -vp] 

2.  Variability  of  atomic  events  means  that  although  an  event  stays  atomic 
it  might  not  do  identical  things  each  time  it  happens.  Plotkin  and  I  use  this 
phenomenon  to  show  that  a  sufficiently  large  team  of  observers  (see  item  6)  can 
distinguish  any  two  finite  pomsets. 

3.  Autocurrence  means  two  concurrent  and  identical  events.  Without  the 
concurrency  requirement  we  find  two  such  repetitions  in  the  word  "identity”: 
there  are  two  t’s  and  two  i’s.  An  example  with  concurrence  is  when  you  ask 
the  bank  teller  for  two  dollars.  If  dollars  always  came  sequentially  there’d  be  no 
quarrel  about  the  legitimacy  of  the  string  1 1  as  a  specification  for  two  dollars. 
But  what  about  1 1 1  meaning  "Give  me  two  dollars  please.”  This  phenomenon 
arises  as  soon  as  you  distinguish  pomsets  from  posets. 

With  autocurrence  you  can  get  a|a,  which  traces  can’t  distinguish  from  aa. 
This  can  be  solved  via  so-called  "action  refinement”,  used  in  solving  I  above. 
But  action  refinement  gets  you  only  so  far,  in  particular  it  can’t  be  used  in 
conjunction  with  traces  to  distinguish  TR\TR  (two  parallel  sequences  each  of 
T  —  R,  e.g.  two  parallel  message  streams)  from  the  same  thing  with  the  extra 
requirement  that  one  of  the  T’s  precede  both  of  the  Ry s.  But  pomsets  can  make 
that  distinction,  using  the  N  pomset. 

4.  A  single-poset  process  is  one  defined  by  a  single  poset.  This  is  a  key 
assumption  in  the  theorem  coding  posets  as  their  linearizations.  However  this 
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assumption  is  rarely  achievable  in  practice.  It  is  false  that  a  set  of  poscts  can 
be  encoded  with  the  union  of  their  respective  sets  of  linearizations. 

5.  When  a  and  b  are  in  a  race,  the  trace  model  reveals  only  ab+ba.  But 
race-free  nondeterminism,  which  chooses  one  of  ab  +  ba ,  has  the  same  trace 
representation.  This  matters  for  example  in  the  glitch  problem.  You  may  want 
to  implement  ab  +  ba  glitch-freely,  but  you  cannot  say  it  with  traces.  This  is  a 
pretty  simple  argument,  so  you  might  use  it  first  (I  suppose  I  should  have). 

The  same  argument  applies  to  distinguishing  the  mutually  exclusive  execu¬ 
tion  of  two  atomic  operations  from  their  concurrent  execution.  The  trace  model 
has  built  into  it  the  assumption  that  mutually  exclusive  execution  and  concur¬ 
rent  execution  are  the  same  thing  for  atomic  events.  This  interacts  with  item 
1. 

6.  Most  models  of  concurrency  assume  that  one  observer  collects  all  the 
observations.  In  practice  observers  are  as  distributed  as  the  systems  they  ob¬ 
serve,  and  can  pool  their  distributed  observations  in  ways  entirely  unrelated  to 
the  computational  model  used  to  prove  correctness  of  a  particular  distributed 
system.  This  is  a  subtle  point  that  Plotkin  and  I  go  to  pains  to  explain  in  detail 
in  our  paper.  [Shortened  for  the  proceedings  version,  -vp] 

7.  Time  must  be  discrete  for  traces  to  model  interleaving.  Just  what  exactly 
is  the  set  of  all  interleavings  of  two  copies  of  the  unit  interval  [0,1]?  Consider 
a  dual  beam  oscilloscope.  Are  you  going  to  describe  its  two  beams  in  terms  of 
their  interleavings? 

These  issues  are  specific  technical  problems  that  arise  with  traces.  But 
besides  any  question  of  what  might  actually  go  wrong,  there  is  also  the  question 
of  the  most  natural  model.  I  feel  that  models  should  attempt  to  be  reasonably 
faithful  to  what  they  model,  if  the  mathematics  supports  this.  Even  if  your 
unnatural  model  happens  to  be  working  today,  my  feeling  is  that  unnatural 
models  are  more  likely  to  break  down  in  the  future  than  natural  ones.. 

When  you  have  a  computer  in  Europe  talking  via  satellite  to  one  in  the  US, 
the  time  between  instructions  is  thousands  of  times  less  than  that  between  com¬ 
puters.  A  natural  way  to  model  the  instruction  streams  of  the  two  computers 
then  is  with  two  sequences.  The  trace  model  does  not  accept  this,  on  the  ground 
that  a  computation  consists  of  one  sequence.  It  says  that  you  must  interleave 
the  two  sequences  in  all  possible  ways  before  you  can  reason  soundly  about  the 
system. 

The  problem  is  that  the  only  serious  mathematics  that  many  practicing 
computer  scientists  get  exposed  to  is  computation  theory,  where  they  are  taught 
that  all  computation  is  sequential.  Getting  through  their  computation  theory 
course  was  one  of  the  bigger  struggles  of  their  college  education,  but  mastery  of 
it  vindicated  the  enormous  outlay  of  tuition  and  board  for  all  those  years  when 
they  could  have  been  learning  on  the  job. 

So  then  they  run  into  concurrency  in  the  real  world  and  they  simply  cannot 
cope  with  the  concept  of  two  parallel  streams,  because  they  have  never  seen 
any  such  concept  in  their  textbooks,  nor  any  theorems  about  such  concepts. 


3 


Therefore  they  do  the  only  thing  possible:  they  interleave  in  order  to  reduce  to 
a  known  model  with  known  theorems. 

I  can  say  on  the  basis  of  having  worked  with  both  models  for  many  years 
that  posets  are  far  more  flexible  and  easier  to  work  with  than  traces.  Having 
to  think  about  systems  in  terms  of  traces  is  like  trying  to  do  arithmetic  with 
Roman  numerals.  Yes,  Roman  numerals  indeed  code  integers,  and  furthermore 
the  algorithms  for  adding  and  multiplying  Roman  numerals  do  work,  but  that’s 
not  a  great  reason  to  stick  with  Roman  numerals. 

Vaughan  Pratt 


To:  concurrdncyCtheory.lcs.mit.edu 

From:  ranceCadm.csc.ncsu.edu  (Ranee  Cleaveland) 

Date:  Mon,  22  Oct  90  11:29:48  -0400 

Another  reason  for  using  posets  crops  up  when  one  wishes  to  reason  about 
the  real-time  properties  of  a  system.  Assuming  that  one  is  working  in  a  setting 
where  each  atomic  action  takes  1  time  unit,  a|6  (”a  and  b  truly  in  parallel”) 
should  also  take  1  time  unit,  while  ab  +  ba  will  take  2.  So  it  seems  a  bit  surpris¬ 
ing  to  me  that  a  group  of  people  interested  in  real  time  would  find  linearizations 
an  adequate  model  of  concurrency. 

Ranee  Cleaveland 


To :  concurrencyCtheory . les . mit . edu 

From:  Vaughan  Pratt  <prattCcs .Stanford. EDU> 

Subject:  modeling  concurrency  with  partial  orders 
Date:  Mon,  22  Oct  90  12:57:26  PDT 

Ranee’s  comment  on  real  time  reminds  me.  I  neglected  to  connect  up  with 
recent  work  explaining  why  true-concurrency  hackers  seem  to  prefer  the  poset 
side  of  an  otherwise  surely  symmetric  duality  between  posets  as  schedules  and 
distributive  lattices  as  automata,  a  duality  generalized  by  Winskel  et  recently 
many  al  to  event  structures,  dual  to  families  of  configurations. 

The  reason  is  that  automata  are  1-dimensional  and  hence  can  only  exhibit 
the  structure  of  interleaving  concurrency.  This  is  intuitively  obvious  to  true  true 
concurrency  hackers,  and  I  can  only  infer  that  the  proponents  of  this  duality  in 
its  published  form  are  false  true  concurrency  hackers. 

In  order  to  faithfully  and  continuously  represent,  on  the  automaton  side  of 
the  duality,  the  structure  of  true  concurrency  that  its  proponents  like  myself 
so  vividly  imagine  to  exist  on  the  poset  side,  automata  should  be  made  higher 
dimensional.  This  has  been  done  implicitly  by  van  Glabbeek  and  Vaandrager  in 
PARLE-87  via  the  notion  of  ST-bisimulation.  I  will  be  momentarily  sending  off 
my  POPL  paper  explaining  how  to  make  more  explicit  the  geometry  implicit  in 
this  (if  I  just  can  restrain  myself  long  enough  from  writing  these  damn  messages). 
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Apropos  of  real  time,  the  phenomenon  by  which  two  pencils  can  be  put  into 
a  shirt  pocket  only  high  enough  to  accommodate  one.  impossible  in  the  inter¬ 
leaving  world  as  Ranee  points  out,  translates  under  this  duality  to  the  need  for 
the  Lee  norm  (i.e.  max(x,y))  in  measuring  duration  of  truly  concurrent  pro¬ 
cesses  in  higher-dimensional  automata.  In  contrast  the  L\  norm  or  Manhattan 
metric  z  4*  y  measures  duration  of  interleaved  processes,  that  operate  the  way 
a  New  York  taxi  has  to  in  alternating  between  going  East  and  North.  (So  you 
should  have  inferred  by  now  that  this  is  the  model  where  one  lays  out  parallel 
instruction  streams  orthogonally,  as  Papadimitriou  does  in  treating  deadlock). 

If  one  tries  to  approach  true  concurrency  by  refining  the  granularity  of  this 
interleaving,  one  arrives  in  the  limit  at  still  the  L\  norm.  That  is,  you  may 
have  a  perfectly  straight  line  running  diagonally  across  the  product  square  (the 
product  of  two  transitions,  a  surface,  arising  just  as  in  the  product  construction 
for  automata)  but  it  still  represents  interleaved  concurrency  by  being  its  limit. 
In  this  extreme  case  true  concurrency  can  be  distinguished  from  interleaving 
not  by  its  shape  but  only  its  speed. 

Vaughan  Pratt 


To :  concurrencyCtheory . les . ait .  edu 
From:  infhilleikeCrelay.eu.net  (Eike  Best) 

Subject:  Re:  The  discussion  on  (sometime)  superiority  of  p. orders 
Date:  Thu,  25  Oct  90  16:08:58  +0100 

Here  are  my  2  Pfennige  worth  of  contribution.  I  claim: 

Sometimes  partial  orders  let  you  define  a  concept  more  smoothly  than  arbi¬ 
trary  interleavings.  A  case  in  point  is  " finite  delay”.  Finite  delay  is  supposed 
to  mean:  if  an  action  is  continually  enabled,  then  it  occurs  sometime. 

In  a  sequential  system,  finite  delay  can  be  expressed  by  the  maximality  of 
an  execution  sequence  (you  would  like  to  go  as  far  as  possible). 

Consider  a  *  ||6*  versus  (a(]6)*  (where  Q  is  nondet.  choice).  The  sequence 
aaaaa...  (infinitely  often  a  but  no  6)  contradicts  the  finite  delay  property  in 
a  *  ||6*,  since  the  b  is  not  prohibited  from  occurring  and  could  always  occur. 
However,  aaaaa...  does  NOT  contradict  the  finite  delay  property  in  (a[]6)*,  since 
the  occurrence  of  a  is  always  alternative  to  i,  and  so  6  is  continually  prohibited 
from  occurring. 

The  distinction  can  be  captured  by  noticing  that  aaaaa...,  while  being  max¬ 
imal  as  a  string,  is  not  maximal  as  a  partial  order  of  a*  ||6*,  but  IS  maximal  as 
a  partial  order  of  (aQ6)*. 

Eike  Best 

PS  I  don’t  claim  you  NEED  partial  orders  here,  but  I  do  claim  that  it’s  nice 
to  use  them,  since  the  concept  of  maximality  directly  generalizes  the  sequential 
one. 
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To:  prattCcs.stanford.edu 

Cc :  concurrencyCtheory . lcs . mit . edu ,  dclCanna . Stanford . edu 
From:  meyerCtheory.lcs.mit.edu  (Albert  R.  Meyer) 

Subject:  modeling  concurrency  with  partial  orders 
In-Reply-To:  prattCcs.stanford.edu  Mon,  22  Oct  90  09:57:06  EDT 
Date:  Fri,  26  Oct  90  14:01:09  EDT 

I  support  most  of  your  remarks,  but  I  don’t  think  we  should  accept  David 
Luckham  s  formulation  of  the  issue  as 

(1)  Linear  versus  Partial  Order 

but  rather  emphasize 

(2)  Interleaving  Nondeterminacy  versus  Concurrency 

Formulation  (I)  highlights  the  particular  detail  of  whether  concurrent  pro¬ 
cesses  are  abstractly  represented  by  some  structure  involving  linear,  rather  than 
partial,  orders.  This  can  hardly  be  crucial,  since,  as  you  well  know,  every  partial 
order  is  uniquely  determined  by  the  set  of  its  linearizations. 

Formulation  (2)  forces  us  to  clarify  the  limitations  of  the  in  many  respects 
successful  interleaving-concurrency  models  of  CCS,  CSP,  MEIJE,  ACP,  etc. 
Though  the  following  remarks  are  well  known  to  you  and  the  Continental  re¬ 
search  community  in  concurrency,  Luckham’s  note  confirms  my  impression  that 
the  issue  is  still  not  well  understood  elsewhere,  so  maybe  it’s  worth  rehashing 
the  basis  of  the  story  another  time: 

The  crux  of  the  criticism  of  interleaving  is  captured  in  the  equation 

(3)  a\b  =  a6  4*  6a. 

Equation  (3)  may  be  read  as  asserting  that  the  process  a|6,  which  can  CON¬ 
CURRENTLY  perform  actions  a  and  6,  may  be  identified  with  the  process 
a6  +  6a,  which  NONDETERMINISTICALLY  chooses  to  do  either  a-then-6  or 
else  6-then-a. 

Equation  (3)  is  an  axiom  in  the  interleaving-based  theories,  but  maintaining 
it  RULES  OUT  extensions  of  the  theory  to  include 

(i)  observations  of  simultaneity:  a  and  6  can  be  observed  simultaneously  in 
the  computation  of  process  a|6,  but  not  in  ab  +.6a. 

(ii)  observations  of  the  same  computation  by  two  or  more  sequential  ob¬ 
servers  at  distributed  locations:  under  reasonable  assumptions  about  signal 
propagation  over  distance,  two  such  observers  watching  a  computation  of  a|6 
might  see  DIFFERENT  linear  traces  (namely  one  could  see  la6T  during  the 
same  interval  that  the  other  saw  4  6 a’),  but  under  the  same  assumptions  two 
observers  would  always  see  the  SAME  trace  (namely,  exactly  one  of  ab  or  6a) 
in  any  given  computation  of  ab+ba.  I  was  delighted  by  this  remark  when  I  first 
learned  it  from  you  and  Plotkin. 

(iii)  refinement  of  action  atomicity-what  you  felicitously  called  “variable 
granularity”:  refining  a  in  a|6  to  be  the  two  step  sequential  process  cd  yields 
a  process  with  the  trace  cbd,  but  refining  a  in  a6  -f  6a  yields  no  such  trace;  I 
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first  learned  this  point  from  a  note  in  1987  by  Castellano  et  al  in  the  EATCS 
Bulletin. 

Insofar  as  these  extensions  are  desirable,  one  has  to  retreat  from  the  simple 
interleaving  model.  The  ideas  that  actions  have  duration,  and  more  generally 
the  ideas  of  critical  regions  and  atomicity,  are  usually  regarded  as  an  important 
aspect  of  pragmatic  concurrent  processing.  Because  (iii)  seems  like  a  plausible 
theoretical  way  to  model  both  action  duration  and  relaxing  atomicity  require¬ 
ments,  extending  the  theory  to  cover  it  does  seem  desirable. 

On  the  other  hand,  having  agreed  that  interleaving  theories  need  modifica¬ 
tion,  I  don’t  think  we  can  say  that  your  pomset  models  or  the  Niazurkiewicz- 
trace  models  have  been  fully  justified  as  appropriate  concurrency  theories.  For 
example,  multiple  observers  don't  justify  distinguishing  the  pomset  processes 
PI  and  P2  where  PI  is  the  singleton  pomset  (.a. 6)  and  P2  =  PI  union  one  of 
its  augmentations,  say  the  singleton 

.a 

I 

.b 

Similarly,  the  various  proposed  event /behavior  structure  models  are  all  based 
on  generalized  notions  of  bisimulation.  I  have  raised  my  doubts  in  earlier  mes¬ 
sages  to  this  forum  about  how  the  detailed  distinctions  between  processes  made 
by  bisimulation  can  be  justified  computationally. 

Despite  these  reservations,  let  me  say  that  I  do  believe  that  the  modeling  of 
a  concurrent  run  of  a  computation  with  a  pomset  is  pretty  natural. 

Regards,  A.  Moderator,  concurrency@theory.lcs.mit.edu 


To :  concurrency OTHEORY . LCS . MIT . EDU ,  dclCanna . Stanford . edu 
From:  prattles . Stanford. edu 

Subject:  Re:  modeling  concurrency  with  partial  orders 
In-Reply-To:  Your  message  of  Fri,  26  Oct  90  14:01:09  EDT. 

<9010261801. AA13008Cstork> 

Date:  26  Oct  90  14:52:07  PDT  (Fri) 

I  appreciate  your  words  of  support,  Albert.  Some  minor  comments  on  four 
points. 

>This  can  hardly  be  crucial,  since,  as  you  well  know,  every 
>partial  order  is  uniquely  determined  by  the  set  of  its 
>linearizat ions . 

This  is  Szpilrajn’s  theorem  [1],  a  “fragile’’  theorem  in  the  following  sense. 
A  robust  theorem  about  a  structure  should  remain  true  when  one  adds  further 
structure.  Szpilrajn’s  theorem  holds  neither  for  a  set  of  posets  nor  for  labeled 
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posets.  Both  these  structures  must  be  added  to  the  basic  poset  structure  to 
make  it  useful  as  a  model  of  concurrency.  I  therefore  view  David’s  comparison 
of  linear  to  partial  orders  in  the  context  of  their  application  to  concurrency  as 
quite  appropriate. 

>(3)  alb  =  ab+ba. 

>Equatioa  (3)  is  an  axiom  in  the  interleaving-based  theories,  but 
Maintaining  it  RULES  OUT  extensions  of  the  theory  to  include 

The  equational  logic  of  regular  expressions  has  a  very  interesting  property.  If 
you  regard  its  variables  as  denoting  only  themselves  as  symbols  of  an  alphabet, 
the  set  of  equations  valid  under  that  very  restricted  interpretation  turns  out 
to  be  the  same  as  when  you  let  the  variables  range  over  arbitrary  languages. 
That  is,  the  theory  does  not  change  when  you  treat  its  variables  as  self-denoting 
constants. 

This  interesting  property  fails  as  soon  as  you  add  almost  any  other  operation, 
whether  or  not  that  operation  preserves  regularity.  Such  operations  include 
complement  -a,  intersection  aflfc,  interleaving  a|6,  quotient  a\6,  and  residual 
a  —  b  =  ~{ab). 

Equational  theories  are  closed  under  substitution.  In  view  of  this  I  would 
like  to  discourage  extending  to  other  languages  the  practice  in  the  language  of 
regular  expressions  of  denoting  atoms  by  variables.  I  would  be  more  comfortable 
seeing  (3)  written  as  a  conditional  implication: 

atomic(a)  A  atomic(b)  —  a\b  =  ab  +  ba 

or  more  generally: 

atomic(a)  A  atomic(b)  —  mutex(a,b) 
mutex(a ,  6)  —  a|6  =  ab  +  ba 

since  mutex(a,b)  (I  hope  the  meaning  is  clear)  is  at  its  most  useful  when  it 
holds  of  particular  nonatomic  processes. 

For  example,  multiple  observers  don’t  justify  distinguishing  the 
po*3et  processes  PI  and  P2  where  PI  is  the  singleton  pomset 
(  .a  .b  )  and  P2  =  PI  union  one  of  its  augmentations,  say  the 
singleton 

Provably  so  of  course:  our  multiple  observer  model  can’t  distinguish  a  pro¬ 
cess  from  its  augment  closure.  Gordon  and  I  now  have  the  converse  of  this, 
at  least  for  finite  pomsets,  that  is  that  distinct  augment  closed  processes  of  fi¬ 
nite  pomsets  are  distinguishable  by  sufficiently  large  teams  (infinite  when  the 
dimension  of  the  pomsets  is  unbounded). 
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I  have  raised  ny  doubts  in  earlier  messages  to  this  forum  about 
hoe  the  detailed  distinctions  between  processes  made  by 
bisimulation  can  be  justified  computationally. 

Having  written  about  it  you’re  better  qualified  than  I  to  express  such  reserva¬ 
tions.  However  my  intuitive  feeling  is  that  Hennessy-Miiner  logic,  which  justifies 
all  distinctions  made  by  bisimulation,  is  not  an  excessively  strong  language  in 
the  context  of  debugging,  where  the  programmer  marches  backwards  and  for¬ 
wards  along  a  misbehaved  nondeterministic  computation  trying  to  find  what 
caused  the  misbehavior  and  experimenting  by  making  little  changes  and  see¬ 
ing  how  they  propagate  side-effects  forward  and  predicates  backwards  (through 
predicate  transformers). 

[1]  E.  Szpilrajn,  Sur  l’extension  de  1’ordre  partiel,  Fund.  Math.  16,  386-389, 
1930. 


To :  sr i-unix !  theory .  lc s .  mit .  edu !  may erCunix .  sr i .  com , 

sri-unix !  theory .  lcs .  mit .  edu !  concurrencytunix .  sri .  com 
From:  tciproframuOunix.sri.com  (Ramu  Iyer) 

In-Reply-To:  Albert  R.  Meyer  Fri,  26  Oct  90  14:01:09  EDT 
Subject:  modeling  concurrency  with  partial  orders 
Date:  Fri,  26  Oct  90  16:09:54  PDT 

On  Fri,  26  Oct  90  14:01:09  EDT,  Albert  R.  Meyer  said: 

Albert>  I  support  most  of  your  remarks,  but  I  don't  think  we 
Albert>  should  accept  David  Luckham's  formulation  of  the  issue  as 
Albert>  (1)  Linear  versus  Partial  Order 

Albert>  but  rather  emphasize 

Albert>  (2)  Interleaving  Vondeterminacy  versus  Concurrency 

Here  are  three  references  that  discuss  these  pioneering  issues: 

L.  Castellano,  G.  De  Michelis,  L.  Pomello.  Concurrency  vs  Interleaving:  An 
Instructive  Example.  Bulletin  of  the  EATCS,  31,  1987,  pp.  12-15. 

D.B.  Benson,  Concurrency  and  Interleaving  are  Equally  Fundamental.  Bul¬ 
letin  of  the  EATCS,  33,  1987. 

W.  Reisig,  Concurrency  is  More  Fundamental  than  Interleaving,  Bulletin  of 
the  EATCS,  ??,  1988. 

Cheers, 

-Ramu  Iyer 


To:  concurrencyCtheory .lcs .mit .edu 
From:  Vaughan  Pratt  <prattCcs . Stanford. edu> 
Subject:  modeling  concurrency  with  partial  orders 
Date:  Sat,  27  Oct  90  00:55:01  PDT 


S>  D 


;/ 
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»>From:  tciprolraauCunix.sri.com  (Raau  Iyer) 

>»Subject:  modeling  concurrency  sith  partial  orders 

»>Bere  are  three  references  that  discuss  these  pioneering  issues: 

»>  <3  references  from  1987-88:  Castellano  et  al,  Benson,  Reisig> 

I’d  like  to  suggest  some  earlier  dates  than  1987  or  1988  as  more  suitable 
candidates  for  "pioneering.’’ 

The  earliest  proposal  I  m  aware  of  to  model  concurrency  with  partial  orders  is 
Irene  Greif’s  MIT  Ph.D.  thesis  from  1975.  Jan  Grabowski  and  N’ielsen-Plotkin- 
VVinskel  both  have  1981  journal  papers  on  partial  orders  for  concurrency,  with 
both  parties  reporting  on  work  done  at  the  end  of  the  1970’s.  C.A.  Petri  al¬ 
legedly  had  advocated  partial  orders  long  ago,  though  not  in  writing  as  far  as 
I'm  aware. 

Unlike  these  pioneers  I  did  not  appreciate  the  need  for  partial  orders  in 
concurrency  myself  until  1980.  This  was  not  for  want  of  experience  with  con¬ 
current  computing.  I  had  implemented  various  interrupt-driven  packages  in 
1967-69,  and  I  wrote  and  thought  a  fair  bit  about  concurrency  during  the  1970’s 
(1972:  thesis  chapter  on  sorting  networks;  1974:  showed  with  Larry  Stockmeyer 
that  P=NP  on  parallel  computers;  1974-5:  two  circuit  complexity  results;  1976: 
solved  the  mutual  exclusion  problem  for  unreliable  processes  with  Ron  Rivest; 
1979:  axiomatized  process  logic). 

But  I  did  not  appreciate  the  advantages  of  partial  orders  for  concurrency 
until  early  1980  when  I  was  trying  to  understand  Brock  and  Ackerman’s  paper. 
My  pomset  campaign  began  with  my  POPL-82  paper  on  that  subject,  "On  the 
Composition  of  Processes"  which  proposed  formalizing  Brock  and  Ackerman’s 
solution  to  their  anomaly  in  terms  of  partially  ordered  multisets.  I  coined  the 
abbreviation  "pomset"  a  few  months  later. 

I  wrote  a  short  paper  on  applying  pomsets  to  the  Two- Way-Channel- With- 
Disconnect  problem  for  the  1983  concurrency  workshop  in  Cambridge  UK, 
LNCS  207,  as  well  as  a  statement  I  circulated  at  IFIP-83  a  week  after  that 
conference  as  part  of  a  concurrency  panel  session  chaired  by  Robin  Milner  in 
which  I  argued  the  case  for  pomsets.  I  also  spoke  about  pomset  semantics  at 
Logics  of  Programs  1983  (no  written  paper  unfortunately),  and  again  in  LOP 
85. 

This  last  paper  was  subsequently  published  in  International  Journal  of  Par¬ 
allel  Programming,  15:1,  33-71,  1986,  as  "Modeling  Concurrency  with  Partial 
Orders”  (same  title  as  the  subject  line  of  the  last  10  messages).  (If  you  don’t 
have  that  journal  in  your  library  you  can  retrieve  this  paper  by  anonymous  FTP 
from  boole.stanford.edu  as  /pub/ijjp.{tex,dvi}.) 

I  reproduce  here  the  arguments  I  gave  in  that  1986  paper  in  support  of 
partial  orders.  Note  particularly  item  (v),  which  begins 

(v)  ’’A  serious  difficulty  with  the  interleaving  model  is  that  exactly  what  is 
interleaved  depends  on  which  events  of  a  process  one  takes  to  be  atomic.” 

and  goes  on  to  explain  how  refinement  (as  it  is  now  called)  distinguishes 
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a|6  from  ab  4*  ba  and  hence  makes  the  meaning  of  interleaving  dependent  on 
granularity.  While  I  know  of  no  prior  reference  in  the  literature  to  the  use  of 
refinement  to  distinguish  a|6  from  ab  +  ba  I'm  sure  the  idea  had  occurred  to 
many  people  before,  even  if  writing  it  down  had  not. 

See  also  the  postscript- 1990  at  the  end,  on  the  outcome  of  my  long-standing 
problem  of  axiomatizing  the  equational  theory  of  concatenation  and  interleaving 
for  formal  languages.  It  is  noteworthy  that  the  solver  independently  invented 
pomsets  for  the  express  purpose  of  solving  this  purely  interleaving  question. 

Extract  from  '’Modeling  Concurrency  with  Partial  Orders.  1986 

1.2  Why  Partial  Orders? 

Strings  arise  naturally  in  modeling  ongoing  sequential  computation,  whether 
the  symbols  in  the  string  correspond  to  states,  commands,  or  messages.  Thus 
the  string  utu  may  model  the  sequential  execution  of  three  commands  u,  v,  u, 
or  a  transition  from  state  u  to  state  v  followed  by  a  transition  back  to  u,  or  a 
sequence  of  three  messages  u,v,u  transmitted  sequentially  on  some  channel. 

Strings  are  linearly  ordered  sets,  or  rather  linearly  ordered  multisets  (since 
repetitions  are  possible),  of  symbols  from  some  alphabet.  In  unison  with  the 
workers  mentioned  at  the  end  of  this  section  we  advocate  partial  orders  in  place 
of  linear  orders  in  modeling  concurrent  computation.  At  present  however  partial 
orders  have  nowhere  near  the  popularity  of  linear  orders  for  modeling  concurrent 
computation.  This  could  be  for  any  of  the  following  reasons. 

(i)  Languages  and  their  associated  operations,  particularly  union,  concate¬ 
nation,  Kleene  star,  and  shuffle,  provide  a  natural  model  for  the  corresponding 
programming  language  control  structures:  choice,  sequence,  iteration,  and  con¬ 
currency.  The  behavior  of  languages  under  these  operations  has  been  studied 
intensively  for  more  than  two  decades.  Thus  languages  provide  a  familiar  and 
well- understood  model  of  computation.  In  this  model  the  linear  order  on  the 
elements  of  a  string  is  interpreted  as  the  linear  temporal  order  of  events,  and  the 
operations  on  languages  may  be  interpreted  as  control  structures:  concatenation 
as  begin-end  sequencing,  star  as  iteration,  shuffle  as  concurrency,  etc. 

(ii)  Every  poset  is  representable  as  the  set  of  its  linearizations.  This  theorem 
would  appear  to  confer  on  linear  orders  the  same  representational  ability  as 
partial  orders. 

(iii)  Linear  orders  appear  to  be  faithful  to  physical  reality.  In  the  practical 
engineering  world,  as  opposed  say  to  the  physicist’s  relativistic  world,  instanta¬ 
neous  events  have  a  well-defined  temporal  order,  justifying  the  assumption  of 
linearly  ordered  time.  Furthermore,  in  any  rigid  system  temporal  order  is  well- 
defined  even  in  a  relativistic  model.  Any  departures  from  rigidity  are  assumed 
to  be  sufficiently  minor  in  practice  as  to  justify  adhering  to  a  linear-order  model. 

Reason  (i)  would  lose  most  of  its  force  if  partial  orders  were  to  be  equipped 
with  operations  analogous  to  those  of  formal  languages  that  could  be  interpreted 
as  programming  language  control  structures.  This  is  just  what  this  paper  does; 
some  of  the  operations  on  pomsets  that  we  introduce  correspond  to  more  or 
less  familiar  programming  language  constructs,  others  are  merely  candidates 
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for  possible  future  programming  or  hardware  languages. 

Reason  (ii)  is  based  on  the  following  well-known  theorem,  which  shows  that 
a  partial  order  can  be  represented  as  the  set  of  its  linearizations. 

Theorem  1.  The  intersection  of  the  linearizations  of  a  partial  order  is  that 
partial  order. 

(For  the  purposes  of  defining  intersection,  a  partial  order  is  considered  to  be 
its  graph,  that  is,  the  set  of  all  pairs  (a,  6)  such  that  a  <  b.) 

This  theorem  is  easily  proved  under  the  (non-obvious)  assumption  that  every 
partial  order  has  at  least  one  linearization,  by  showing  that  any  partial  order  in 
which  a  and  b  are  incomparable  can  be  extended  to  one  in  which  a  <  b  and  to 
another  in  which  b  <  a. 

This  theorem  about  posets  runs  into  two  difficulties  when  trying  to  apply 
it  to  processes  modeled  as  sets  of  pomsets.  The  theorem  generalizes  neither 
to  pomsets  nor  to  sets  of  posets ,  and  a  fortiori  not  to  sets  of  pomsets.  We  will 
return  to  this  issue  in  section  2.6,  after  the  necessary  definitions  have  been  given. 

Reason  (iii),  that  the  engineer’s  world  is  linear  in  time,  fails  in  at  least  three 
situations:  complex  systems,  nonatomic  events,  and  relativistic  systems.  Be¬ 
yond  a  certain  scale  of  system  complexity  it  becomes  infeasible  to  keep  thinking 
in  terms  of  a  global  clock  and  a  linear  sequence  of  events.  A  cover  story  in  the 
magazine  Electronics*3)  describes  a  growing  trend  in  the  design  of  logic  circuits 
to  eliminate  global  clocks  and  rely  more  on  self-timed  circuits.  On  a  larger 
scale  asynchrony  has  been  with  us  for  a  long  time.  When  a  large  number  of 
computers  communicate  with  each  other  over  channels  whose  delay  is  several 
orders  of  magnitude  greater  than  the  clock  time  of  each  computer,  the  concept 
of  global  time  provides  neither  a  faithful  account  of  the  concurrent  computation 
of  all  those  computers  nor  even  a  particularly  useful  one.  There  is  no  reason  to 
suppose  that  the  various  instructions  streams  of  these  computers  are  interleaved 
to  form  one  stream.  Indeed  it  is  much  more  convenient,  both  conceptually  and 
computationally  (e.g.  when  computing  with  such  streams  as  part  of  reasoning 
about  them)  just  to  lay  down  these  streams  side  by  side  and  call  this  juxtapo¬ 
sition  of  streams  a  model  of  their  concurrent  execution.  Data  flowing  between 
the  computers  may  augment  the  order  implicit  in  the  juxtaposition,  but  this 
relatively  sparse  augmentation  of  the  order  is  motivated  by  the  actual  mechan¬ 
ics  of  communication,  unlike  the  more  stringent  and  totally  artificial  ordering 
requirement  of  completely  interleaving  the  streams. 

A  concrete  situation  that  may  make  this  more  compelling  consists  of  a  ship 
rolling  somewhere  in  the  Pacific,  in  satellite  communication  with  another  ship 
in  the  Indian  Ocean.  The  events  on  the  buses  of  the  computers  on  each  ship 
take  place  with  a  precision  measured  in  nanoseconds,  but  the  delay  in  getting  a 
packet  from  one  computer  to  another  may  be  on  the  order  of  a  second  or  more. 
The  idea  that  the  totality  of  events  in  the  two  computers  has  a  well-defined  linear 
ordering  can  have  no  practical  status  beyond  that  of  a  convenient  mathematical 
fiction.  Our  position  is  that  it  is  neither  convenient  nor  mathematically  useful. 
It  is  just  as  convenient,  and  more  useful,  to  work  with  partial  orders. 
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Nonatomic  events  provide  another  situation  where  linear  orders  break  down. 
An  event  may  be  more  complex  than  a  moment  in  time.  It  may  be  an  interval 
in  the  sense  of  a  convex  subset  of  a  linear  order.  It  may  be  a  set  of  intervals,  such 
as  a  game  punctuated  by  timeouts  or  a  TV  movie  punctuated  by  commercials. 
More  generally  still  it  may  be  some  arbitrary  set  of  moments.  However  even 
for  such  complex  events  it  still  makes  sense  to  say  that  one  event  may  precede 
or  follow  another,  meaning  that  every  moment  of  the  first  event  precedes  every 
moment  of  the  second.  Yet  such  events  are  clearly  not  linearly  ordered. 

Relativity  provides  yet  another  situation  where  time  is  not  linearly  ordered. 
In  any  nonrigid  system,  that  is,  one  whose  components  are  moving  with  respect 
to  each  other,  simultaneity  ceases  to  be  well-defined  and  two  moving  observers 
can  report  contradictory  orders  of  occurrence  of  a  pair  of  events.  Any  system 
nontrivially  subject  to  relativistic  effects  is  a  candidate  for  a  partially  ordered 
model  of  computation.  Of  course  many  systems  will  not  be  so  subject,  but  we 
see  it  as  an  advantage  of  the  partial-order  approach  that  it  applies  equally  well 
to  relativistic  and  Newtonian  (global-time)  situations. 

In  addition  to  our  responses  to  (i)-(iii),  we  have  the  following  additional 
reasons  for  preferring  partial  orders. 

(iv)  Some  concepts  are  only  definable  for  partial  orders,  in  particular  or- 
thocurrence,  which  amounts  to  the  direct  product  of  pomsets,  which  we  define 
in  full  later.  The  solution  given  above  to  the  problem  of  specifying  the  two- 
way-channel- with-disconnect  contains  two  essential  uses  of  orthocurrence,  along 
with  two  less  essential  uses.  The  concept  is  an  extremely  natural  and  useful  one 
for  partial  orders,  but  it  is  not  at  all  obvious  how  one  would  go  about  defining, 
it  in  a  linear-order  model,  or  even  whether  it  is  definable. 

(v)  A  serious  difficulty  with  the  interleaving  model  is  that  exactly  what  is 
interleaved  depends  on  which  events  of  a  process  one  takes  to  be  atomic.  If 
processes  P  and  Q  consist  of  the  single  atomic  events  a  and  6  respectively  then 
their  interleaving  is  {at,  6a}.  However  if  the  same  events  a  and  6  are  perceived 
by  someone  else  not  to  be  atomic,  by  virtue  of  having  subevents,  then  P  and  Q 
have  a  richer  interleaving  than  atuta.  It  is  reasonable  to  consider  instantaneous 
events  as  absolutely  atomic,  but  we  would  like  a  theory  of  processes  to  be  just 
as  usable  for  events  having  duration  or  structure,  where  a  single  event  can  be 
atomic  from  one  point  of  view  and  compound  from  another.  In  the  partial-order 
model  what  it  means  for  two  events  to  be  concurrent  does  not  depend  on  the 
granularity  of  atomicity. 

(vi)  In  some  situations  pomsets  appear  to  be  easier  to  reason  about  than 
strings.  For  example  it  is  relatively  straightforward  to  axiomatize  the  equational 
theory  of  pomsets  under  the  operations  of  concurrence  and  concatenation  (The¬ 
orem  5.2^).  The  corresponding  theory  for  strings  has  resisted  all  attempts  at 
its  axiomatization.  Gischer  and  the  author  have  both  worked  extensively  on  the 
problem  of  whether  this  simply  described  theory  has  a  finite  axiomatization. 
The  problem  has  been  posed  on  two  occasions  at  the  (San  Francisco)  Bay  Area 
Theory  Symposium,  generating  interest  but  no  answers  in  more  than  eighteen 
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months. 

[Postscript  1990:  this  problem  was  finally  solved  in  1988  by  Steven  Tschantz. 
an  algebraist  at  Vanderbilt,  who  settled  it  in  the  affirmative  by  a  truly  beautiful 
argument  only  a  week  after  I  posed  the  problem  along  with  a  list  of  others  at 
the  end  of  an  invited  lecture  at  a  universal  algebra  conference  in  1988.  In  doing 
so  he  reinvented  pomsets  quite  independently  as  an  essential  tool  in  the  proof; 
I  had  stated  the  problem  purely  for  languages  with  no  mention  of  pomsets  at 
any  point  in  my  talk,  which  was  about  dynamic  logic,  -vp] 

[Postscript  1996:  Tschantz  s  result  was  subsequently  published  in  Mathe¬ 
matical  Structures  in  Computer  Science  4:4  (December  1994),  pp.  505-511. 
-vp] 

Vaughan  Pratt 


To :  concurrencyCtheory . lcs . mit . edu 
From:  laaportOsrc.dec.com  (Leslie  Lamport) 

Subject:  lor  the  concurrency  mailing  list 

[Moderator * s  retitle:  Flame  re  distributed  processes  and 

granulity] 

Date:  Tue,  6  lov  90  17:13:59  -0800 

I  admire  philosophers.  They  have  so  much  to  teach  us.  From  Aristotle  I 
learned  that  heavier  bodies  fall  faster  than  lighter  ones;  Kant  showed  me  that 
nonEuclidean  geometry  is  impossible;  and  Spinoza  proved  that  there  can  be 
at  most  seven  planets.  And  now,  the  philosophers  on  the  concurrency  mailing 
list  have  told  me  all  the  things  I  can’t  do  because  I  use  a  logic  based  on  an 
interleaving  model: 

I  can’t  reason  about  distributed  systems. 

In  1982  I  published  a  proof  of  the  distributed  algorithm  then  used  in  the 
Arpanet  to  maintain  its  routing  tables  [”An  Assertional  Correctness  Proof  of  a 
Distributed  Algorithm”,  Science  of  Computer  Programming  2,  3  (Dec.  1982), 
175-206].  Since  then  I  have  written  more  formal  proofs  of  more  complicated 
distributed  algorithms. 

I  can’t  deal  with  changes  in  the  grain  of  atomicity. 

In  1983  I  published  a  paper  ["Specifying  Concurrent  Program  Modules”, 
TOPLAS  5,  2  (April  1983)  190-222]  containing: 

A  specification  of  a  queue,  in  which  adding  or  removing  an  element  is  a  single 
atomic  operation. 

An  implementation  in  which  an  element  is  moved  into  and  out  of  the  queue 
one  bit  at  a  time. 

A  proof  that  the  implementation  satisfies  the  specification. 

Nowadays,  my  standard  approach  to  verification  is  to  start  with  a  high-level 
program  having  a  coarse  grain  of  atomicity,  and  to  refine  the  grain  of  atomicity 
until  I  reach  the  desired  program. 
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/  can't  reason  about  (nondiscrete )  real  time. 

At  a  workshop  in  1988,  I  gave  a  one-hour  lecture  in  which  I: 

Specified  a  distributed  spanning-tree  algorithm  having  the  requirement  that 
the  computation  reach  and  maintain  a  correct  configuration  within  a  fixed  length 
of  (real)  time. 

Gave  an  implementation  using  timers.  I  assumed  only  that  timers  ran  at 
a  rate  of  1  +/-  epsilon  seconds  per  second,  and  that  messages  were  delivered 
within  delta  seconds  of  the  time  they  were  sent.  (Epsilon  is  any  real  number  in 
the  range  [0,  1)  and  delta  is  any  positive  real  number.) 

Sketched  a  proof  that  the  implementation  satisfied  the  specification. 

I  have  since  written  a  detailed  formal  correctness  proof. 

/  can't  reason  about  programs  without  assuming  a  fixed  granularity. 

A  recent  paper  of  mine  [’’win  and  sin-Predicate  Transformers  for  Concur¬ 
rency”,  TOPLAS  12,  3  (July  1990),  396-428]  gave  a  rigorous  correctness  proof 
for  the  bakery  algorithm.  This  algorithm  makes  no  assumption  about  the  grain 
of  atomicity  of  its  operations.  (It  was  the  first  algorithm  to  achieve  mutual 
exclusion  without  assuming  lower-level  mutual  exclusion.) 

I’m  sure  the  philosophers  can  explain  why  I  haven't  really  done  these  things. 
I’ll  be  happy  to  listen  to  their  explanations,  as  soon  as  they  can  use  their 
philosophically  approved  methods  to  reason  formally  about  something  more 
complicated  than  a  biscuit  machine. 


To :  concurr oncyCtheory . les . mit . edu 
From:  prat tOcs .Stanford. £DU 

Subject:  Re:  Flame  re  distributed  processes  and  granulity 
Date:  08  lov  90  12:58:19  PST  (Thu) 

On  p.419  of  the  proceedings  of  Logics  of  Programs  81  (LNCS  131)  appears 
the  following  extract  from  the  panel  discussion  that  wrapped  up  that  confer¬ 
ence.  Context:  Amir  Pnueli  had  just  expressed  the  wish  that  every  paper  on 
programming  logic  say  something  about  how  this  programming  logic  is  to  be 
applied  to  proving  something  about  programs. 

"Nemeti:  I’d  like  to  protest  a  little  bit  about  what  you  (Pnueli)  said  about 
our  papers.  The  structure  of  our  technological  society  is  just  not  like  that. 
There  was  a  guy  called  Roentgen.  You  could  have  gone  to  him  and  said,  ‘What 
are  you  doing  playing  around  with  these  funny  things  of  yours?  Why  don’t  you 
try  to  heal  people  who  have  colds?’  There  are  theoreticians  who  are  doing  basic 
research,  and  there  are  less  theoretical  theoreticians,  and  there  are  technologists, 
so  there  is  a  whole  spectrum  of  research  in  science.  The  theoreticians  doing  the 
basic  research  arc  really  needed,  because  the  basic  ideas,  the  fundamental  ways 
we  look  at  things,  come  from  there.  Now,  if  you  want  to  restrict  them  to  report 
each  time  how  this  will  be  used,  then  it  will  result  in  impotence.” 

While  I  have  nothing  to  add  to  this,  I  do  have  a  question  arising  out  of 
it.  Who  believes  that  ”the  basic  ideas,  the  fundamental  ways  ^systems  people* 
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look  at  things”  come  from  the  theoreticians?  Do  systems  people  believe  this? 
And  do  theoreticians  believe  it? 

Vaughan  Pratt 


To:  concurrency«th«ory. lcs.ait.edu 
From:  laaportCsrc.dec.com  (Leslie  Lamport) 

Subject:  [lamportCsrc.dec.com:  for  the  concurrency  mailing  list] 
Date:  10  lov  1990  1721-PST  (Saturday) 

Dear  Dr.  Roentgen. 

I  am  writing  to  congratulate  you  on  the  success  of  your  continuing  experi¬ 
ments  with  X-rays.  I  can  imagine  your  dismay  at  the  many  charlatans  who  have 
used  your  X-rays  to  justify  ’’invisible  ray”"  theories  based  on  fancy  rather  than 
science.  And  those  silly  French  physicists  with  their  X-rays!  How  fortunate  that 
we  live  in  a  society  where  scientific  validity  is  determined  by  rigorous  experi¬ 
ment.  I  presume  you  are  aware  of  the  disturbing  developments  in  the  Soviet 
Union,  where  Dr.  Lysenko  attacks  the  work  of  Mendel  on  ideological  grounds. 
I’m  afraid  it  will  be  many  years  before  the  Soviets  permit  sound  research  in 
genetics,  since  they  value  philosophical  correctness  above  empirical  observation. 

Sincerely  yours, 

Leslie  Lamport 


To:  prattCcs.stanford.edu,  concurrencyCtheory.lcs.ait.edu 
From:  Robert  J.  Hall  <RJHCai.ait.edu> 

Subject:  re:  Re:  Flaae  re  distributed  processes  and  granulity 
In-Reply-To :  <90 11082123. AA07740Cst ork> 

Date:  Sat,  10  lov  90  12:58  EST 

Froa:  pr at tCcs .Stanford 

On  p.419  of  the  proceedings  of  Logics  of  Prograas  81  (LICS  131) 
appears...  "leaeti:  ..."  (regarding  need  for  theoreticians, 
etc) 

It  seems  to  me  this  quote  does  not  directly  address  Lamport’s  complaint 
which  was,  I  believe,  that  the  theoreticians  on  this  list  seem  to  be  making  false 
claims  (as  enumerated  by  Lamport).  He  seemed  to  be  fraternally  suggesting  that 
one  way  of  avoiding  such  false  claims  may  be  to  keep  a  closer  contact  between 
theory  and  practice,  if  indeed  theory  is  attempting  to  have  some  benefits  for 
practice.  In  particular,  if  one’s  claim  is  to  the  effect  that  a  technologist  ”can’t 
do”  something  using  a  theory,  one  must  at  least  be  more  precise  about  what  it 
means  to  do  that  thing.  Obviously,  Lamport  believes  he  has  successfully  used  the 
interleaving-based  view  to  reason  about  multiple  granularities,  whereas  previous 


discussions  on  the  list  seem  to  claim  he  can't  have  done  so  (similarly  for  the 
other  issues  raised). 

-  Bob 


To:  "Robert  J.  Hall"  <RJHCai.mit.edu> 

Cc :  concurrencyCtheory . lcs . ait . edu 
From:  prattCcs.Stanford.EDU 

Subject:  Re:  Flame  re  distributed  processes  and  granulity 
Date:  11  *ov  90  20:22:55  PST  (Sun) 

It  seems  to  me  this  quote  does  not  directly  address  Lamport's 
complaint  which  was,  I  believe,  that  the  theoreticians  on  this 
list  seem  to  be  making  false  claims  (as  enumerated  by 
Lamport ) . 

My  quote  addressed  Leslie’s  complaint  in  the  most  direct  way  possible  under 
the  circumstances.  Leslie  did  not  identify  any  particular  claim  made  on  the  list. 
Rather  he  complained  generally  that  certain  contributors  to  the  list,  whom  he 
did  not  specify,  had  claimed  there  were  certain  things  he  couldn’t  do,  which 
he  did  specify.  There  have  been  various  claims  on  this  list  about  limitations  of 
interleaving,  but  none  that  I  recall  making  the  claims  Leslie  was  complaining 
about,  nor  any  that  conflicted  with  the  evidence  he  adduced  in  support  of  his 
complaint. 

One  claim  about  interleaving  in  this  forum  is  in  my  October  26  message  to 
David  Luckham.  There  I  claimed  that  Szpilrajn’s  representation  theorem  for 
posets,  that  every  poset  is  representable  as  the  set  of  its  linearizations,  depends 
on  several  assumptions.  For  each  assumption  I  showed  informally  in  what  way 
the  theorem  could  fail  in  the  absence  of  that  assumption,  in  some  cases  giving 
pointers  to  where  more  detailed  proofs  of  those  failure  modes  could  be  found. 

I  see  no  logical  connection  between  Leslie’s  complaint  and  my  claim.  And 
even  if  there  were  some  connection,  the  existence  of  failure  modes  of  trace-based 
logic  when  certain  assumptions  are  violated  in  no  way  implies  that  every  trace- 
based  proof  violating  those  assumptions  must  be  unsound.  I  do  not  begrudge 
Leslie  his  sound  proofs,  however  obtained. 

The  failure  modes  of  Szpilrajn’s  theorem  are  not  just  mathematical  curiosi¬ 
ties  but  potentially  real  engineering  problems.  Perhaps  Leslie  knows  how  to  take 
care  of  these  problems  using  trace-based  logic,  but  I  don’t  see  how  his  cited  ex¬ 
amples  demonstrate  this  at  all.  How  might  a  logic  based  on  sets  of  traces  deal 
with  each  of  the  following  situations? 

1.  Distinguish  the  race  implicit  in  a\b  from  the  race-free  situation  implied 
by  ab  +  6a. 

2.  Reason  about  observations  made  by  a  team  of  distributed  observers  who 
agree  on  what  events  happened  but  not  in  what  order. 


3.  Reason  about  the  possible  interleavings  of  two  concurrent  sine  waves. 
(Presumably  one  falls  back  on  some  other  technique  for  combining  traces  than 
interleaving  them.) 

He  seemed  to  be  fraternally  suggesting  that  one  way  of  avoiding  such  false 
claims  may  be  to  keep  a  closer  contact  between  theory  and  practice 
I  found  no  hint  of  such  a  suggestion  in  Leslie’s  message. 

Vaughan  Pratt 


To :  concurr encyOtheory .  let .  ait .  «du 

From:  prattOcs.Stanlord.EDU 

Subject:  Re:  lor  the  concurrency  mailing  list 

Date:  12  lov  90  13:20:57  PST  (Mon) 

Leslie  s  ’  fraternal  suggestions”  could  easily  create  the  impression  that  he  is 
for  interleaving  and  I  am  against.  This  construes  my  position  too  narrowly.  Let 
me  set  this  in  the  historical  perspective  of  a  FOCS-76  paper  by  Ron  Rivest  and 
myself  that  Leslie  attacked  at  that  time. 

Ron  and  I  had  given  an  interleaving  proof  of  correctness  of  our  solution 
of  the  mutual  exclusion  problem  for  two  unreliable  processes.  The  gist  of  our 
proof  was  that  the  many  paths  through  our  code  fell  into  6  classes,  permitting 
a  straightforward  case  analysis  each  case  of  which  had  a  simple  argument.  We 
found  this  program  by  making  small  random  perturbations  to  a  tiny  but  buggy 
mutual  exclusion  protocol.  Even  after  looking  at  the  four  instructions  of  our 
resulting  program  for  a  long  time  we  had  absolutely  no  intuitive  understanding 
of  why  that  perturbation  was  correct  and  others  very  like  it  were  not! 

Leslie  protested  to  us  that  such  a  proof  as  ours  based  on  classification  of 
interleavings  was  inappropriate.  He  showed  us  a  proof  of  correctness  of  our 
procedure  based  on  a  theory  he  had  evolved  of  why  it  worked. 

Had  we  considered  our  program  to  be  the  final  word  on  this  subject  we  could 
well  have  agreed  with  Leslie  that  having  an  "insightful  theory"  of  our  code  was 
worthwhile.  After  all,  the  method  used  to  find  a  prime  need  not  be  the  best 
method  to  convince  someone  of  its  primality. 

However  even  assuming  that  Leslie's  proof  gave  us  the  additional  insight  into 
our  procedure  that  he  claimed  it  should,  it  seemed  to  us  that  our  procedure 
was  surely  just  one  of  more  to  come,  and  that  the  effort  of  making  up  such 
a  theory  after  the  fact  was  therefore  wasted.  Furthermore  our  strategy  for 
discovering  new  such  algorithms  depended  critically  on  the  automatic  nature 
of  interleaving  analysis;  we  had  no  idea  how  to  write  a  program  which  given  a 
random  algorithm  would  generate  a  theory  of  how  it  might  work,  whereas  we 
knew  how  to  enumerate  and  check  all  its  interleavings  mechanically  in  a  short 
time. 

This  was  borne  out  by  the  subsequent  extension  of  our  work  by  Mike  Fischer 
and  Gary  Peterson,  published  in  STOC-77.  Whereas  our  solution  involved  I 


18 


think  7  states  for  each  of  two  processes  they  had  3  states  each  (3+3,  and  another 
solution  with  4  states  at  one  process  and  2  states  at  the  other.  4+2).  They 
found  their  very  economical  solutions  by  trying  out  various  possible  programs 
and  checking  all  interleavings  of  each  until  they  found  one  that  worked.  They 
used  two  such  checkers,  written  independently  by  Mike  and  Gary. 

Gary  did  come  up  with  a  Lamport-style  after-the-fact  theory  of  why  their 
3+3  mutex  procedure  worked.  Mike's  comment  to  me  about  that  proof  was 
that  since  they'd  already  mechanically  checked  correctness  simply  by  running 
their  procedure  through  all  possible  interleavings,  this  more  conventional  proof, 
which  had  to  be  manually  checked,  added  nothing  to  Mike's  confidence  in  the 
correctness  of  their  procedure,  and  indeed  seemed  to  him  more  likely  to  contain 
lacunae. 

Now  I  can  see  dearly  that  such  post  hoc  theories  of  these  procedures  might 
have  a  certain  esthetic  attraction,  and  might  even  be  useful.  My  point  is  not 
to  fault  Leslie  for  coming  up  with  such  a  theory  but  only  to  demonstrate  that 
I  am  not  a  religious  zealot  on  the  use  of  interleaving  analysis  in  concurrency. 
Indeed  I  still  know  of  no  simpler  proof  of  our  FOCS-76  algorithm  than  our  6- 
case  interleaving  analysis,  and  if  I  were  writing  it  up  today  I  would  still  prove 
it  correct  in  that  way.  Moreover  I  have  no  problem  with  the  use  of  interleaving 
in  any  situation  to  which  it  is  applicable.  In  particular  I  have  no  quarrel  with 
Leslie  on  the  applicability  of  logics  based  on  interleaving  to  the  problems  he 
listed  in  his  flame. 

I  trust  that  Leslie  uses  a  different  logic  to  prove  the  correctness  of  his  algo¬ 
rithms  from  the  one  he  uses  to  prove  that  those  of  us  who  have  in  the  course  of 
twenty-five  years  gradually  moved  from  writing  concurrent  programs  to  reason¬ 
ing  abstractly  about  them  have  by  so  doing  turned  themselves  into  charlatans. 
This  was  the  only  fraternal  suggestion  I  found  in  Leslie’s  two  messages.  A 
century  ago  the  same  logic  would  have  demonstrated  with  equal  validity  that 
Cantor  was  a  charlatan. 

Vaughan  Pratt 

(In  the  course  of  my  obtaining  publication  clearances  from  the  contributors 
to  this  debate  in  July  1996,  Leslie  Lamport  asked  that  the  following  response  to 
the  above  be  included .  — Vaughan  Pratt) 

My  objection  was  not  that  your  proof  was  “inappropriate”,  but  that  it  wasn’t 
believable.  It  was  a  hand  proof  based  on  analyzing  about  26  cases.  Your  pa¬ 
per  did  not  mention,  and  at  the  time  I  knew  nothing  about,  your  exhaustive 
computer  checking  of  the  algorithm.  I  would  not  have  objected  to  your  written 
“proof”  had  it  been  called  a  sketch  of  a  mechanical  verification. 

Leslie 


To :  concurrency ©theory . lcs . ait .  edu 

From:  mischuOallegra.tempo.nj.att.com  (Michael  Merritt) 
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Subject :  Begin-the  great  debate-End 
Date:  Mon,  12  lov  90  15:45:48  EST 

While  I  can  t  pretend  to  follow  all  the  subtleties  of  the  ongoing  discussion, 
I  do  have  a  fairly  specific  query  for  the  proponents  of  partial  orders,  growing 
out  of  my  fairly  extensive  experience  in  modeling  concurrent  algorithms  using 
interleaving. 

Specifically,  I  generally  model  operations  as  consisting  of  a  sequence  of  two 
atomic  events,  the  beginning  and  ending  of  the  operation.  When  communica¬ 
tion  is  involved,  these  are  described  as  requests  and  replies.  (E.g.  Request- 
Read(register-x),  Reply-Read(register-x, value).)  W'hen  operations  run  concur¬ 
rently,  their  begin  and  end  events  occur  in  an  interleaved  sequence.  Using 
this  approach,  I  would  resolve  the  a\b  vs  ab  +  ba  debate  by  denoting  a  and 
b  by  begin-a,end-a  and  begin-b,end-b,  respectively.  Then  a\b  is  the  set  of  se¬ 
quences:  ( begin-a,end-a,begin-b,end-b),  (begin-b,end-b,begin-a,end-a),  (begin- 
a,begin-b,end-a,end-b),  (begin-b,begin-a,end-b,end-a) 

and  ab  +  ba  is  the  (very  different  set) 

(begin-a,end-a,begin-b,end-b),  (begin-b,end-b,begin-a,end-a). 

Similar  causally  distinct  processes  would  seem  to  be  distinguished  by  such 
a  semantics,  as  well. 

When  refining  an  operation,  I  never  change  the  symbols  denoting  the  begin 
and  end  of  the  operation.  I  simply  change  the  (internal)  operations  that  occur 
between  the  begin  and  end  actions. 

The  begin/end  distinction  is  particularly  useful  at  interfaces,  where  the  sys¬ 
tem  issues  a  request  and  the  environment  responds,  or  vice-versa. 

I  am  interested  in  reactions  to  this  method  of  resolving  the  (over-emphasized, 
in  my  mind)  debate. 

On  multiple  observers  of  concurrent  systems:  it  seems  to  me  that  an  accurate 
model  of  such  systems  should  distinguish  between  the  occurrence  of  an  event 
and  its  observation.  (I  think  even  the  physicists  do  this  much.)  A  run  of  such  a 
system  then  consists  of  an  interleaved  sequence  of  events  and  their  observations. 
The  subsequence  experienced  by  a  single  observer  is  obviously  consistent  with 
a  set  of  runs. 

What’s  missing? 

I’ll  send  references  and/or  papers  if  anyone  is  interested  in  seeing  these  ideas 
applied  to  algorithmic  problems.  But  I  should  say  that  I  work  within  the  formal 
framework  (I/O  automata)  devised  by  Nancy  Lynch  and  Mark  Tuttle. 

Now,  it  is  true  that  in  reasoning  about  concurrent  systems  I  often  find  myself 
reasoning  about  partial  orders  embedded  in  the  language  (set  of  sequences) 
denoted  by  the  system,  and  I  am  interested  in  tools  that  would  help  me  do 
that.  But  I  am  also  reluctant  to  give  up  induction  as  a  proof  technique.  Why 
can’t  I  have  both? 

Michael  Merritt 
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To :  concurr ency€th«ory . lcs . ait . edu 
From:  prattCcs.stanford.edu 
Subject:  DO  the  great  debate  COMTIIUE 

In-Reply-To:  Your  message  of  Tue,  13  lov  90  08:49:13  EST. 

<9011 131349 . AA01750Cstork> 

Date:  13  lov  90  12:30:27  PST  (Tue) 

From:  mischuCallegra.tempo.nj.att.com  (Michael  Merritt) 
Specifically,  I  generally  model  operations  as  consisting 
of  a  sequence  of  two  atomic  events,  the  beginning  and 
ending  of  the  operation 

Vhat*s  missing? 

In  fact  for  deterministic  parallel  constructs  this  is  a  provably  sound  abstrac¬ 
tion  (or  contrapositively,  languages  are  a  fully  abstract  model  with  respect  to 
the  semantics  defined  by  just  sets  of  such  begin-end  pairs).  Theorem  2.3  of 
Gischer’s  thesis  (Stanford  report  STAN-CS-84-1033,  1984)  is  that  two  pomsets 
are  language  equivalent  iff  they  are  digram  equivalent.  (I  don’t  know  why  Jay 
omitted  this  theorem  from  the  journal  version,  TCS  61:199-224.)  That  is,  take 
the  operations  of  one’s  language  to  be  all  pomset-definable  operations  (namely 
concatenation,  concurrence,  iV(a,  b,  c,  d),  etc.),  and  let  the  variables  range  over 
arbitrary  sets  of  strings.  Then  the  resulting  equational  theory,  consisting  of 
all  equations  between  terms  of  this  language  that  are  universally  true  in  this 
interpretation,  is  the  same  theory  as  obtained  when  the  strings  are  restricted  to 
strings  of  length  two. 

Perhaps  you  don’t  care  about  all  pomset  definable  operations,  but  presum¬ 
ably  you  at  least  care  about  two  of  them,  namely  concatenation  and  interleav¬ 
ing.  This  case  can  be  formally  defined  and  treated  without  mentioning  pomsets 
or  true  concurrency  at  all.  In  this  case  the  theorem  is  just  about  how  sets  of 
strings  combine  under  concatenation  and  interleaving.  Jay’s  theorem  2.3  applies 
equally  to  this  restricted  case. 

This  seems  to  provide  positive  support  for  the  two-event  interpretation  of 
operations.  But  in  fact  there  is  something  missing,  namely  nondeterminism. 
(Pomset  definable  operations  such  as  concurrence,  although  indeed  nondeter- 
ministic  from  a  false-concurrency  perspective,  are  properly  considered  deter¬ 
ministic  in  the  true  concurrency  world.) 

In  1988  Van  Glabbeek  and  Vaandrager  asked  whether  digrams  sufficed  for  the 
richer  language  obtained  by  expanding  this  deterministic  language  of  pomset- 
definable  operations  with  the  nondeterministic  choice  operator  p+q,  interpreted 
simply  as  language  union.  Their  initial  answer  was  that  a  gap  now  appeared 
between  digrams  and  trigrams,  which  they  showed  with  an  automaton  they 
called  the  ”owln  because  of  its  shape.  They  have  subsequently  extended  this 
result  to  show  that  (n-f  l)-grams  make  finer  distinctions  than  n-grams  for  all  n. 
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(This  incidentally  is  a  very  nontrivial  result,  which  took  them  a  long  time  to 
find.  I  tried  very  hard  even  just  to  separate  3  from  4  without  success,  I  guess 
my  brain  is  out  to  lunch  these  days.) 

So  why  don’t  practitioners  notice  these  phenomena  in  their  work?  Presum¬ 
ably  because  they  don't  leap  out  at  the  casual  observer.  For  just  this  reason 
19th  century  engineers  did  not  notice  discrepancies  m  their  day-to-day  work 
due  to  relativity  and  quantum  mechanics.  It  is  true  that  any  engineer  whose 
measurements  depended  on  the  velocity  of  light  not  changing  between  summer 
and  winter  by  an  amount  as  large  as  twice  the  earth’s  orbital  velocity  would 
be  grateful  for  relativity,  but  how  many  engineers  in  those  days  felt  this  was  a 
serious  problem? 

Nowadays  surveyors  who  use  $10,000  interferometers  routinely  in  the  field 
to  measure  hundreds  of  feet  to  an  accuracy  of  hundredths  of  an  inch  would  find 
these  seasonal  variations  in  the  velocity  of  light  very  distracting  if  they  existed. 
The  earth’s  orbital  velocity  is  29.8  km/s  and  light  travels  at  299.800  km/s,  so 
according  to  the  ether  theory  the  length  of  a  500-foot  boundary  would  appear 
to  be  gently  oscillating  at  32  nanohertz  with  a  peak-to-peak  amplitude  of  1.2 
inches. 

By  the  same  token  Wiens  law  did  have  an  odd  bump,  but  how  many  prac¬ 
ticing  chemical  and  other  engineers  of  the  day  had  their  work  thrown  off  by 
it? 

Nowadays  quantum  mechanics  explains  a  host  of  phenomena  that  would 
have  started  accumulating  without  explanation  at  an  alarming  rate  during  this 
century  had  quantum  mechanics  not  been  in  place  to  account  for  them. 

But  to  early  20th  century  engineers  relativity  and  quantum  mechanics  were 
just  theoretical  curiosities  that  one  would  only  notice  if  one  looked  extremely 
closely  in  the  neighborhood  of  where  their  delicate  effects  were  to  be  felt.  Per¬ 
haps  more  strikingly,  it  has  been  said  that  a  common  view  among  late  19th 
century  physicists  was  that  the  structural  aspects  of  physics  had  been  fully 
elucidated,  with  the  bulk  of  the  remaining  work  being  a  matter  of  measuring 
everything  more  accurately. 

I  suggest  that  we  have  much  the  same  situation  here.  Take  the  largest 
concurrent  algorithm  that  anyone  has  ever  proved  correct.  Is  the  future  of 
concurrency  just  a  matter  of  extending  the  proof  techniques  that  worked  there 
to  yet  larger  code  fragments?  I  don’t  think  so,  for  the  various  reasons  I  gave 
in  my  message  to  David  Luckham.  As  we  pass  to  more  widely  distributed 
computations,  as  the  ratio  of  end-to-end  time  over  bit-to-bit  time  increases,  as 
observations  become  more  complex,  and  as  glitching  intrudes  itself  into  yet  more 
situations,  the  linear-time  model  will  become  a  Procrustean  bed  that  some  may 
continue  to  find  the  equal  of  a  Beautyrest  mattress  but  that  many  others  will 
find  unreasonably  painful. 

low,  it  is  true  that  in  reasoning  about  concurrent  systems  I 
often  find  myself  reasoning  about  partial  orders  embedded  in 
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the  language  (set  of  sequences)  denoted  by  the  system,  and  I  am 
interested  in  tools  that  would  help  me  do  that.  But  I  am  also 
reluctant  to  give  up  induction  as  a  proof  technique.  Why  can't 
I  have  both? 

I  could  not  ask  for  a  better  example  of  reason  (i)  in  my  1986  IJPP  paper  (ob¬ 
tainable  by  ftp  from  boole.stanford.edu  as  ijpp.tex, dvi,  instructions  in  Boole's 
/pub/README)  for  why  people  prefer  interleaving.  Over  the  years  people  have 
built  up  a  substantial  workshop  full  of  tools  for  manipulating  strings  and  sets 
of  strings.  Put  them  in  a  partial  order  environment  and  they  feel  disoriented 
and  deprived  of  their  tools. 

My  answer  to  this  reason  was  that  we  should  remove  it  by  building  the 
tools  needed  for  a  universe  in  which  time  is  partially  ordered.  To  this  end 
my  IJPP  paper  developed  a  number  of  language  constructs  some  of  which  like 
orthocurrence  had  no  analog  in  the  world  of  linear  orders,  and  some  of  which  like 
network  composition  could  be  defined  for  linear  orders  but  were  then  vulnerable 
to  the  Brock- Ackerman  anomalies  in  the  presence  of  nondeterminism. 

With  regard  specifically  to  induction,  my  recent  paper  '’Action  Logic  and 
Pure  Induction”  (similarly  obtainable  from  Boole  as  jelia.{tex,dvi})  shows  how 
to  do  induction  in  a  wide  range  of  situations,  going  well  beyond  languages 
and  binary  relations.  In  commutative  action  logic  the  "horizontal”  operation 
ab  becomes  concurrence,  a\b.  Yet  one  can  still  perform  induction  on  iterated 
concurrence.  Another  interpretation  of  ab  is  orthocurrence,  as  per  my  IJPP 
86  paper.  Again  one  can  do  induction  with  iterated  orthocurrence.  And  as 
always  one  can  do  induction  on  iterated  concatenation,  i.e.  the  usual  Kleene 
star  but  in  other  settings  than  languages  and  relations,  e.g.  pomsets,  where  the 
concatenation  of  pomsets  is  only  linear  when  the  given  pomsets  are  linear. 

If  all  you  want  is  the  ability  to  reason  as  you  have  always  done  by  induction, 
that  is  no  reason  to  replace  pomsets  by  strings. 

Tony  Hoare  disagrees  with  me  that  unfamiliarity  with  partially  ordered  time 
is  a  major  obstacle  to  its  greater  adoption.  I  confess  I  don’t  have  any  strong 
evidence  (though  the  above  is  one  data  point),  but  I  do  have  a  very  strong  feeling 
that  if  people  felt  that  they  could  move  from  linear  time  to  partial  without  giving 
up  any  of  their  tools,  and  also  appreciated  the  advantages  I  and  others  have  been 
pointing  out  for  partial  orders,  there  would  be  a  lot  more  such  migration  than 
at  present. 

The  argument  is  sometimes  made  that  linear  time  is  fully  abstract  for  con¬ 
current  computation  and  partial  time  is  not  (i.e.  it  makes  unobservable  distinc¬ 
tions),  e.g.  Bengt  Jonsson  in  POPL-89,  Jim  Russell  in  FOCS-89,  and  I  think 
others  (I  recently  saw  a  mention  by  Tony  Hoare  of  a  similar  sounding  result  by 
Mark  Josephs).  While  this  is  true  in  the  domain  of  Szpilrajn's  theorem,  outside 
its  domain  what  happens  is  that  partial  time  becomes  fully  abstract  while  lin¬ 
ear  time  becomes  unsound  (asserts  false  equalities),  see  my  paper  on  this  with 
Gordon  Plotkin  (pp2.tex, dvi  obtainable  from  Boole  as  above). 
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Given  the  choice  of  two  theories  such  that,  as  one  moves  in  and  out  of  the 
domain  of  Szpilrajn’s  theorem,  one  theory  varies  between  being  fully  abstract 
and  not  fully  abstract,  but  always  remaining  sound,  while  the  other  varies  be¬ 
tween  sound  and  unsound,  but  always  remaining  fully  abstract,  which  would 
you  choose? 

Vaughan  Pratt 


To :  concurr encyOtheory . lea . mit . edu 

From:  Rob  van  Glabbeek  <rvgWrege.Stanford.EDU> 

Subject:  Begin-the  great  debate-End 

In-Reply-To:  Michael  Merritt  Tue,  13  lov  90  08:49:13  EST 
Date:  Tue,  13  lov  90  16:53:13  PST 

From:  mischuCallegra.tempo.nj.att.com  (Michael  Merritt) 

Date:  Mon,  12  lov  90  15:45:48  EST 
I  am  interested  in  reactions  to  this  method  o t 
resolving  the  (over-emphasized,  in  my  mind)  debate. 

This  idea  occurs  in  many  texts  on  interleaving  semantics.  The  following 
formulation  is  taken  from  HOARE  85:  ‘The  actual  occurrence  of  each  event  in 
the  life  of  an  object  should  be  regarded  as  an  instantaneous  or  an  atomic  action 
without  duration.  Extended  or  time-consuming  actions  should  be  represented 
by  a  pair  of  events,  the  first  denoting  its  start  and  the  second  denoting  its  finish.’ 

The  idea  of  splitting  events  with  a  duration  is  a  very  powerful  one,  and 
makes  that  many  features  of  concurrent  systems  can  in  principle  be  modeled 
adequately  in  interleaving  semantics.  However,  in  a  lot  of  cases  one  can  doubt 
whether  it  is  natural  to  model  a  concurrent  system  in  interleaving  semantics 
only,  even  if  this  can  be  done  theoretically. 

Take  for  instance  the  extremely  useful  distinction  between  functional  be¬ 
haviour  and  performance.  The  idea  is  that  for  a  given  (distributed)  system 
one  first  studies  whether  it  is  functionally  correct,  and  only  when  this  has  been 
shown  (ideally),  one  moves  to  questions  concerning  its  time/space  complex¬ 
ity.  The  problem  that  we  see  in  the  above  ‘solution’  for  dealing  with  actions 
with  duration,  is  that  the  issues  of  functional  behaviour  and  performance  get 
mixed  up.  The  following  trivial  example  to  illustrate  this  point  comes  from  Frits 
Vaandrager,  but  is  for  the  opportunity  adapted  by  me  to  a  setting  with  biscuit 
machines. 

Suppose  we  are  interested  in  a  vending  machine  which  produces  two  biscuits 
when  a  coin  is  inserted  and  then  returns  to  its  initial  state.  The  machine  should 
satisfy  the  following  trace-specification  S: 

2  x  ( coins  —  1)  <  biscuits  <  2  x  coins , 


i.e.  for  each  sequential  trace  of  the  machine  we  should  have  that  the  number 
of  occurrences  of  the  action  biscuit  in  this  trace  is  bounded  by  2  times  the 
occurrences  of  the  action  coin  and  2  times  (coins  -  1). 

A  first  proposal  for  a  machine  with  this  property  is  described  by  the  recursion 
equation 

VMS  =  coin  ;  bisc  ;  bisc  ;  VMS  . 

An  alternative  proposal  could  be 
VMS’  =  coin  ;  (  bisc  ||  bisc)  ;  VMS’  . 

In  interleaving  semantics  we  of  course  have:  VMS  =  VMS’.  This  means 
that  under  certain  conditions  we  may  infer  that  VMS  and  VMS’  have  the  same 
functional  behaviour.  So  as  soon  as  we  have  shown  in  some  appropriate  calculus 
that  VMS  satisfies  S,  we  can  conclude  that  also  VMS’  satisfies  S.  We  now  can 
make  two  observations: 

1.  Especially  when  dealing  with  the  functional  aspects  of  the  system  the 
above  choice  of  actions  seems  very  natural.  Working  with  actions  begin-coin, 
end-coin,  etc.  gives  an  overhead  which  nobody  would  like  to  have.  The  tradi¬ 
tional  problem  of  interleaving  semantics,  namely  combinatorial  state  explosion, 
will  arise  even  faster  in  case  actions  are  split.  Moreover  the  functional  equiva¬ 
lence  of  the  two  machines  can  not  so  easily  be  determined. 

2.  Intuitively  the  situation  concerning  performance  is  clear:  machine  VMS’ 
is  faster  than  machine  VMS  because  it  will  work  in  parallel.  So  why  not  build 
a  semantic  theory  in  which  this  intuition  can  be  formalized? 

In  the  view  of  Frits  and  myself  the  above  considerations  strongly  plead  for 
a  semantic  theory  with  at  least  two  notions  of  equivalence:  (1)  an  interleaving 
equivalence  for  dealing  with  functional  aspects,  and  (2)  a  non-interleaved  equiv¬ 
alence  for  dealing  with  performance.  The  idea  is  then  that  at  the  non-interleaved 
level  actions  can  have  duration  and  structure,  whereas  at  the  interleaving  level 
one  abstracts  from  these  aspects  and  imposes  a  total  order  on  the  actions. 

One  of  the  options  for  the  non-interleaved  equivalence  —  in  the  spirit  of 
Hoare  and  Merritt  —  is  to  say  that  two  processes  are  to  be  regarded  as  equiv¬ 
alent  iff  their  split  versions  have  the  same  interleavings.  This  non-interleaved 
semantics  lies  somewhere  between  interleaving  semantics  and  partial  order  se¬ 
mantics. 

Similar  causally  distinct  processes  would 

seem  to  be  distinguished  by  such  a  semantics,  as  well. 

However  not  all  causally  distinct  processes  can  be  distinguished  by  such 
a  semantics.  Especially  when  permitting  autoconcurrency  (the  independent 
execution  of  two  events  which  on  the  chosen  level  of  abstraction  are  considered 
to  be  occurrences  of  the  same  action)  the  proposed  semantics  falls  short  in  a 
number  of  aspects: 

Consider  the  processes  (atc||6)  +  (a6||6c)  and  (a6||6c). 

Here  ab  is  the  sequential  composition  of  actions  a  and  6,  ab\\bc  is  the  parallel 
and  independent  composition  of  the  processes  ab  and  ac,  and  P  -I-  Q  denotes 
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a  (nondeterministic)  process  that  behaves  either  like  P  or  like  Q.  If  we  don't 
care  for  branching  time  the  left  hand  side  process  can  be  represented  by  the 
automata: 

* - a - >* - b - >* 

I  I  I 

C  c  c 


* - a - >* - b - >* - c - >* 


b  b  b  b 


START - a - >* - b - >* - c - >* 

After  splitting  al  actions  in  two  the  automaton  looks  like: 
*-aO->*-al->*-bO->*-bl->* 

I  I  I  II 

Cl  cl  cl  cl  cl 

I  I  I  I  I 

I  I  I  I  I 

*-aO->*-al->*-bO->*-bl->* 

I  I  I  I  I 

cO  cO  cO  cO  cO 

I  I  I  I  I 

I  I  I  I  I 

*-aO->*-al->*-bO->*-bl->*-cO->*-cl->* 

r 

I  I  I  I  /  I  I  I 

bl  bl  bl  bl  /  bl  bl  bl 

I  I  I  I  /  I  II 

I  I  I  1/  I  I  I 

*-aO->*-al->*-bO->*-bl->*-cO->*-cl->* 

r 

i  i  i  /i  i  i  i 

bO  bO  bO  /  bO  bO  bO  bl 

i  1  I  /  I  I  I  | 

I  I  1/  I  I  I  I 

START-aO->*-al->*-bO->*-bl->*-cO->*-cl->* 
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By  mirroring  the  right  wing  of  the  automaton  in  the  displayed  diagonal  one 
easily  sees  that  all  interleavings  originating  from  (a6c||6)  are  already  present  in 
the  big  square  (a6||6c).  Hence  the  two  processes  (a6c||6)  +  (a6||6c)  and  (a6||6c) 
(if  allowed  to  exist)  are  equivalent  in  Merritt's  semantics.  Nevertheless  one  can 
argue  that  (a6||6c)  can  be  executed  faster  than  (a6r||6)  +  (a6||6c).  If  all  actions 
a,  6  and  c  are  considered  to  take  one  hour  each,  and  the  automata  don’t  wait 
needlessly,  the  left  hand  automaton  has  the  possibility  to  need  one  hour  more 
than  the  right  hand  one. 

A  slightly  more  complicated  example  shows  that  in  fact  it  makes  a  difference 
whether  actions  are  split  in  two  or  in  three  (considering  start,  end  and  halfway 
actions  for  instance)! 

When  refining  an  operation,  I  never  change  the  symbols 
denoting  the  begin  and  end  of  the  operation.  I  simply 
change  the  (internal)  operations  that  occur  between 
the  begin  and  end  actions. 

In  case  you  don’t  allow  autoconcurrency  -  as  occurs  in  the  example  above  - 
that’s  fine.  In  order  to  capture  the  more  general  case,  where  processes  like  the 
one  above  are  considered,  you  have  to  do  some  bookkeeping  linking  end  actions 
explicitly  to  begin  actions.  Otherwise  the  operation  of  refining  an  action  fails 
to  be  a  congruence  for  your  semantical  equivalence,  i.e.  cannot  be  defined 
consistently.  Counterexamples  on  request. 

The  begin/ end  distinction  is  particularly  useful  at  interfaces, 
where  the  system  issues  a  request  and  the  environment  responds, 
or  vice-versa. 

Don’t  misunderstand  me;  I  do  think  the  distinction  can  be  applied  usefully. 

On  multiple  observers  of  concurrent  systems:  it  seems  to  me 
that  an  accurate  model  of  such  systems  should  distinguish 
betveen  the  occurance  of  an  event  and  its  observation.  (I 
think  even  the  physicists  do  this  much.)  A  run  of  such  a 
system  then  consists  of  an  interleaved  sequence  of  events  and 
their  observations.  The  subsequence  experienced  by  a  single 
observer  is  obviously  consistent  with  a  set  of  runs. 

Vhat’s  missing? 

The  coordination,  at  the  end  of  each  single  run  of  the  investigated  system,  of 
the  data  obtained  by  different  observers.  Suppose  that  the  system  (a| |6),  where 
the  occurrences  of  a  and  6  may  even  be  considered  to  be  instantaneous  events, 
runs  only  once,  and  is  observed  by  two  experimenters  (traveling  in  different 
inertial  frames  for  instance).  Then  it  may  happen  that  one  of  them  observes  ab 
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whereas  the  other  observes  6a.  If  they  now  would  simply  drop  there  observations 
into  a  big  bag  of  interleavings  where  also  sequences  that  where  observed  during 
other  runs  of  the  system  are  gathered,  their  work  does  not  provide  evidence  for 
the  fact  that  they  are  observing  (a||6)  rather  than  (a6  +  6a).  However,  if  the 
two  meet  after  their  observations  and  compare  notes,  they  may  realize  that  they 
perceived  the  very  same  run  of  the  system  in  a  different  way.  From  this  they 
conclude  that  a  and  6  must  have  been  executed  independently. 

1*11  *«nd  references  and/or  papers  if  anyone  is  interested 
in  seeing  these  ideas  applied  to  algorithmic  problems. 

Send  me. 

But  I  should  say  that  I  work  within  the  formal  framework 
(I/O  automata)  devised  by  fancy  Lynch  and  Mark  Tuttle. 

Oh...  Well,  send  me  anyway. 

low,  it  is  true  that  in  reasoning  about  concurrent  systems  I 
often  find  myself  reasoning  about  partial  orders  embedded  in 
the  language  (set  of  sequences)  denoted  by  the  system,  and  I 
am  interested  in  tools  that  would  help  me  do  that.  But  I  am 
also  reluctant  to  give  up  induction  as  a  proof  technique.  Vhy 
can't  I  have  both? 

Yes,  why  can’t  you? 

Rob  van  Glabbeek 


To:  concurrencyCtheory.lcs.mit.edu 
From:  lamportCsrc.dec.com  (Leslie  Lamport) 

Subject:  Reply  to  Pratt 

Date:  Thu,  15  lov  90  11:43:10  -0800 

Vaughan  asks 

How  might  a  logic  based  on  sets  of  traces  deal  with  each  of  the  following 
situations? 

1.  Distinguish  the  race  implicit  in  a|6  from  the  race- free  situation  implied 
by  ab  +  6a. 

2.  Reason  about  observations  made  by  a  team  of  distributed  observers  who 
agree  on  what  events  happened  but  not  in  what  order. 

3.  Reason  about  the  possible  interleavings  of  two  concurrent  sine  waves. 
(Presumably  one  falls  back  on  some  other  technique  for  combining  traces  than 
interleaving  them.) 

The  answer  is  that  I  don’t  know  and  I  don’t  care.  These  questions  never 
arise  in  my  work. 
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How  can  it  be  that  I  find  these  issues  to  be  irrelevant  when  Vaughan,  who’s 
an  intelligent  and  (generally  :-)  reasonable  computer  scientist,  considers  them 
important?  To  answer  this,  I  must  begin  with  a  discussion  of  the  nature  of 
science. 

Any  science  is  ultimately  concerned  with  the  real  world.  A  scientific  the¬ 
ory  consists  of  a  mathematical  formalism  together  with  a  way  of  relating  that 
formalism  to  the  real  world.  For  example,  Newtonian  mechanics  consists  of  a 
mathematical  theory  of  point  masses  moving  along  trajectories  in  mathemati¬ 
cal  3-space,  together  with  a  way  of  relating  those  mathematical  objects  to  the 
motions  of  real  objects,  such  as  planets.  Note  that  not  every  concept  in  the 
mathematical  formalism  need  correspond  to  something  in  the  physical  reality- 
for  example,  the  vector  potential  of  classical  electromagnetism  has  no  physical 
counterpart. 

Any  useful  scientific  theory  has  a  limited  domain  of  application.  A  theory- 
of-everything  is  generally  good  for  nothing.  Newtonian  mechanics  can’t  describe 
the  flow  of  fluids,  for  which  one  needs  a  theory  containing  mathematical  concepts 
corresponding  to  friction  and  viscosity. 

For  computer  science,  the  real  world  usually  consists  of  computers  (hunks  of 
wire  and  silicon)  executing  programs.  Theories  in  computer  science  are  based 
on  such  diverse  mathematical  formalisms  as  Turing  machines,  temporal  logic, 
and  CCS. 

To  judge  a  scientific  theory,  one  must  know  what  its  claimed  domain  of 
applicability  is.  The  work  of  mine  that  I  mentioned  in  an  earlier  message  in¬ 
volves  a  theory  whose  domain  is  the  specification  and  verification  of  functional 
properties  of  concurrent  systems.  I  won’t  describe  this  domain  here,  except  to 
note  that  ” functional  properties”  include  eventual  termination  and  upper  and 
lower  time  bounds  on  termination;  they  exclude  probability  of  termination  and 
expected  time  to  termination. 

Computer  scientists  have  tended  to  be  vague  about  the  domain  of  applica¬ 
bility  of  their  theories.  As  a  result,  people  who  work  in  one  theory  often  think 
their  theory  is  good  for  everything.  For  example,  I  have  heard  people  say  that 
the  algebraic  laws  of  CCS  make  it  good  for  verifying  distributed  algorithms. 
CCS  works  fine  for  verifying  biscuit  machines.  It  is  hopelessly  impractical  for 
verifying  even  the  simplest  distributed  spanning  tree  algorithm,  let  alone  the 
more  complex  algorithms  that  system  builders  use.  Robin  Milner  realizes  this 
(I’ve  discussed  it  with  him),  but  many  of  his  disciples  don’t. 

This  doesn’t  mean  that  CCS  is  worse  than  my  theory;  just  that  it  has  a 
different  domain  of  applicability.  It  is  as  silly  to  say  that  CCS  is  better  or  worse 
than  my  theory  as  it  is  to  say  that  physics  is  better  or  worse  than  biology. 
Human  nature  being  what  it  is,  almost  all  physicists  believe  in  their  hearts 
that  physics  is  more  important  than  biology.  However,  physicists  understand 
that  not  everyone  believes  this,  so  a  university  will  teach  biology  even  if  the 
dean  of  faculty  is  a  physicist.  One  wishes  that  computer  scientists  were  as 
understanding. 
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I  think  there  are  two  general  reasons  why  a  concept  that's  important  to 
theory  A  may  be  absent  from  theory  B: 

(i)  The  concept  is  irrelevant  to  the  domain  of  applicability  of  theory  B. 

(ii)  The  concept  belongs  to  the  mathematical  formalism  of  theory  A  and, 
even  though  the  two  theories  have  overlapping  domains  of  applicability,  the¬ 
ory  B’s  method  of  translating  reality  into  mathematical  formalism  makes  the 
concept  irrelevant  or  meaningless. 

Case  (ii)  is  the  more  insidious  cause  of  misunderstanding.  People  get  so 
used  to  their  favorite  theory  that  they  confuse  its  mathematical  formalism  with 
physical  reality.  For  example,  some  advocates  of  CCS  will  say  that  my  theory 
is  deficient  because  it  doesn’t  distinguish  between  internal  and  external  nonde¬ 
terminism.  They  don’t  realize  that  internal/external  nondeterminism  is  part  of 
the  mathematical  formalism  of  CCS,  not  a  property  of  physical  reality,  so  there 
is  no  reason  why  it  should  be  a  meaningful  concept  in  another  theory.  This 
error  is  not  confined  to  one  side  of  any.  ideological  fence.  A  colleague  of  mine 
once  asserted  that  he  could  prove  any  kind  of  property  of  a  program,  since  he 
could  prove  safety  and  liveness  properties  and  any  property  is  the  conjunction 
of  a  safety  and  a  liveness  property.  He  was  confusing  the  real-world  concept  of 
a  property  (in  ’’prove  any  kind  of  property”)  with  the  mathematical  concept  of 
a  property  as  a  set  of  behaviors  (in  "any  property  is  the  conjunction  ...”). 

It  can  be  argued  that  (ii)  is  an  unavoidable  source  of  misunderstanding,  since 
one  can  discuss  physical  reality  only  in  terms  of  mathematical  models.  I  don’t 
think  the  situation  is  so  hopeless.  We  can  make  statements  about  the  physical 
world  like  if  you  press  this  key,  then  the  system  crashes”  that  mean  approxi¬ 
mately  the  same  thing  to  everyone,  regardless  of  his  philosophical  persuasion. 

I  think  that  Vaughan’s  question  3  (sine  waves)  is  an  example  of  (i)  and 
his  question  2  (teams  of  observers)  is  an  example  of  (ii).  His  question  1  (race 
conditions)  is  more  interesting  and  warrants  discussion. 

A  race  condition  is  bad  if  it  makes  the  circuit  behave  incorrectly.  When  ver¬ 
ifying  circuits,  one  is  interested  only  in  proving  that  a  circuit  behaves  correctly, 
not  that  it  behaves  incorrectly.  So,  one  never  has  to  prove  the  existence  of  a 
race  condition.  The  specification  of  the  circuit  describes  its  external  behavior, 
and  a  race  condition  is  something  that  happens  inside  the  circuit.  So,  proving 
the  absence  of  a  race  condition  is  never  a  primary  goal.  If  there  is  a  poten¬ 
tial  race  condition  that  never  actually  occurs-for  instance,  because  of  the  initial 
conditions-then  the  proof  will  contain  a  lemma  (a  mathematical  formula)  whose 
physical  interpretation  will  be  the  absence  of  a  race  condition. 

However,  the  concept  of  a  race  condition  is  not  irrelevant.  A  race  condition 
on  its  inputs  might  cause  a  circuit  component  to  produce  an  invalid  output 
voltage-a  ”1/2”  instead  of  a  ”0”  or  a  ”1”.  In  this  case,  a  mathematical  model 
of  the  component  that  allows  only  the  outputs  ”0”  and  ”  1”  is  inadequate.  With 
such  a  model,  the  domain  of  applicability  of  the  theory  would  not  include  the 
actual  circuit.  Fortunately,  with  more  sophisticated  models  (for  example,  by 
including  a  ”1/2”  output),  I  believe  it  is  possible  to  use  my  theory  to  reason 
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about  real  circuits.  (I  haven’t  done  such  reasoning  myself,  but  others  have 
using  similar  theories.)  The  concept  of  a  race  condition  is  relevant  for  modeling 
the  real  circuit  in  the  mathematical  formalism,  but  it  doesn’t  appear  in  the 
formalism  itself. 

Scientific  theories  are  useful  because  the  mathematical  formalism  is  simpler 
than  physical  reality.  Newtonian  physics  eliminates  an  awful  lot  of  important 
details-like  you  and  me-when  it  represents  the  earth  as  a  point  mass.  Those 
details  are  irrelevant  for  computing  planetary  orbits.  They  are  not  irrelevant 
for  studying  human  history.  Science  is  the  art  of  simplification. 

A  theory  should  be  as  simple  as  possible,  but  no  simpler.  -  Albert  Einstein 

The  test  of  a  scientific  theory  is  how  well  it  helps  us  understand  and/or 
manipulate  the  real  world. 

I  will  close  with  a  word  about  mathematics.  Many  computer  scientists  aren't 
scientists  at  all;  they’re  mathematicians.  They  work  in  the  domain  of  mathe¬ 
matical  formalism,  with  no  concern  for  its  application  to  the  real  world.  That’s 
fine.  The  world  needs  pure  mathematicians  as  well  as  scientists.  But  it’s  impor¬ 
tant  for  mathematicians  to  realize  that  they’re  not  scientists.  Number  theorists 
don’t  criticize  Newtonian  mechanics  for  using  real  numbers  rather  than  integers. 
Computer-scientist/mathematicians  should  be  equally  sensible. 

[Postscript  contributed  for  this  proceedings,  Sept.  1996.] 

I  now  believe  that  one  can  use  process  algebra  (though  probably  not  pure 
CCS)  to  write  a  practical  correctness  proof  of  a  spanning-tree  algorithm — at 
least  of  its  safety  properties.  I’m  not  sure  if  this  is  because  the  process-algebra 
folks  have  made  progress,  or  because  I  now  understand  better  how  to  write 
proofs  in  process  algebra.  (On  the  other  hand,  progress  in  assertional  methods 
has  not  stopped  either.) 


To :  concurrency ttheory . Ics . ait . edu 

From:  lynchChoIaes.lcs.ait.edu  (fancy  A.  Lynch) 

Subject:  On  Laaport  and  Milner 
Date:  Sat,  17  lov  90  07:03:36  EST 

I  have  been  following  the  debate  about  trace  models  with  interest,  and  liked 
Leslie  Lamport’s  most  recent  comments.  They  do  seem  to  get  at  the  heart  of 
the  differences  between  the  different  research  communities. 

One  of  the  most  interesting  (and  troubling)  comments  he  makes  is  the  re¬ 
mark  about  CCS  not  being  useful  for  verifying  distributed  algorithms  of  any 
complexity;  supposedly,  Robin  Milner  agrees  with  this  (!).  Now,  I  thought  I 
understood  that  a  major  goal  of  process  algebraic  research  WAS  to  verify  com¬ 
plex  concurrent  and  distributed  algorithms.  I  would  like  to  hear  more  about 
this  issue  from  proponents  of  CCS-like  methods.  More  specifically,  can  anyone 
tell  me  clearly  what  types  of  algorithms  such  methods  are  suited  for  verifying, 
and  what  are  outside  their  domain  of  applicability?  If  the  methods  so  far  have 
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really  had  only  limited  success,  then  is  this  limitation  inherent  in  the  methods 
(or  their  intended  domain  of  applicability)  or  just  a  matter  of  time? 

Nancy  Lynch 


To :  concurrencyCtheory . lcs . mit , edu 

From:  prattCcs.Stanford.EDU 

Sub j set:  Reply  to  Lamport’s  reply  to  Pratt 

In-Reply-To:  Your  message  of  Fri,  16  lov  90  18:28:10  EST. 

<9011162328 . AA05325Cstork> 

Date:  18  lov  90  00:04:52  PST  (Sun) 

[The  story  so  far.]  On  Oct.  21  David  Luckham  queried  me  about  an  attitude 
to  partial  orders  that  he’d  run  into  during  discussions  with  ONR-funded  software 
people.  I  shared  my  reply  to  David  with  this  list,  which  led  to  considerable 
discussion.  On  Nov.  6  Leslie  Lamport  entered  the  discussion  with  a  complaint 
that  certain  parties  to  this  discussion  whom  he  did  not  name  were  claiming  that 
he  couldn’t  do  what  he  was  doing,  an  assertion  that  he  could  indeed  do  what 
he  was  doing,  and  a  deduction  that  those  parties  must  therefore  be  charlatans. 

I  pleaded  innocent  to  the  complaint,  agreed  with  the  assertion,  and,  in  case 
Leslie  had  me  in  mind  as  one  of  the  charged  parties,  attempted  to  refute  the 
deduction  with  some  situations  where  partial  orders  helped. 

Leslie’s  reply  of  yesterday  (Nov.  16)  put  my  situations  into  three  classes: 
those  outside  his  world,  e.g.  sine  waves,  those  in  his  world  but  independent 
of  his  theory  of  his  world,  e.g.  multiple  observers,  and  those  that  potentially 
conflicted  with  his  theory  but  which  he  felt  confident  his  theory  could  be  ex¬ 
tended  gracefully  to  handle,  e.g.  race  conditions.  He  concluded  by  chastising 
mathematicians  who  criticize  what  scientists  do.  [Now  read  on.] 

This  conclusion  leaves  me  puzzled.  While  Leslie  has  defended  himself  ad¬ 
mirably,  I  cannot  tell  what  criticism  stung  him  into  defense.  Let  me  repeat 
what  I  said  on  Nov.  12: 

There  have  been  various  claims  on  this  list  about  limitations 
of  interleaving,  but  none  that  I  recall  making  the  claims 
Leslie  was  complaining  about,  nor  any  that  conflicted  with  the 
evidence  he  adduced  in  support  of  his  complaint. 

Leslie’s  techniques  seem  to  be  fine  for  their  purposes.  I  don’t  know  why  this 
message  isn’t  getting  through. 

Echoing  Sol  Feferman’s  ’’Bravo,”  I  heartily  concur  with  the  rest  of  Leslie’s 
stimulating  essay,  to  within  the  following  differences. 

The  answer  is  that  I  don’t  know  and  I  don’t  care.  These 
questions  never  arise  in  my  work. 
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I  know  that  and  I  didn't  care  at  first.  Robert  Hall  supplied  the  necessary 
existence  proof  that  there  were  people  on  the  list  who  did  care,  or  I  would  have 
let  the  matter  rest  with  just  the  Nemeti  quote  from  LOP-81  (LNCS  131,  p.419), 
my  initial  response  to  Leslie's  opening  message. 

Although  Leslie's  view  of  concurrency  is  adequate  for  him,  it  is  also  some¬ 
what  of  a  straitjacket.  There  are  aspects  of  concurrency  that  he  does  not  find 
worth  studying  but  that  others  do.  Perhaps  the  implications  of  those  aspects 
will  never  insinuate  themselves  into  Leslie's  world,  but  who  knows?  Which  res¬ 
idents  of  Nagasaki  and  Hiroshima  foresaw  the  abrupt  intrusion  of  the  abstract 
equation  E  =  me2  into  their  world? 

Fortunately,  with  more  sophisticated  models  (for  example,  by 
including  a  "1/2"  output),  I  believe  it  is  possible  to  use  my 
theory  to  reason  about  real  circuits. 

Yes,  this  is  an  excellent  idea.  Its  origins  are  surely  shrouded  in  history, 
but  it  can  be  found  recently  in  van  Glabbeek  and  Vaandrager’s  PARLE-87  no¬ 
tion  of  ST-bisimulation,  with  Leslie's  1/2  represented  as  marked  transitions. 
It  is  also  the  basis  for  the  "prosset”  model  Gaifman  and  I  described  in  LICS- 
87,  a  model  described  more  elegantly  in  "Temporal  Structures”  (in  LNCS  389 
21-51,  also  STAN-CS-89-1297,  also  available  by  ftp  from  boole.stanford.edu  as 
man.  {tex,dvi},  and  to  appear  in  Math.  Struct,  in  CS  1:2),  in  terms  of  the  "idem- 
potent  closed  ordinal”  3\  In  Leslie’s  notation  3’  =  {0, 1/2,1}.  This  important 
(non-cartesian-closed)  ordinal  is  also  the  dualizing  object  3  in  the  Stone- Birkhoff 
duality  described  in  my  POPL-91  paper,  though  space  and  time  have  conspired 
to  let  me  do  little  more  than  name  3  in  that  paper;  a  proper  account  of  the 
dualizing  role  of  3  will  appear  in  a  subsequent  paper.  The  essential  idea  is  that 
{0, 1/2,1},  or  {0,T,1}  as  I  call  it  in  the  POPL  paper,  refer  respectively  to  before, 
transition,  and  after.  A  race  is  characterized  by  the  possibility  of  having  two 
processes  both  being  in  state  T.  The  function  of  mutual  exclusion  is  to  rule  out 
that  combination.  This  is  the  essential  distinction  between  a|6  and  ab+ab:  both 
permit  8  of  the  9  =  32  combinations  in  {0,  T,  1}  x  {0,  T,  1},  but  only  the  former 
permits  the  9th  combination  (T,T), 

I  apologize  for  the  large  amount  of  algebraic  machinery  in  which  we  have 
embedded  Leslie’s  1/2  in  some  of  this  work,  like  Sigourney  Weaver  in  her  ex¬ 
oskeleton  in  Aliens.  Those  wishing  to  meet  1/2  in  a  more  comfortable  outfit 
will  have  to  await  our  return  to  planet  Earth,  hopefully  soon.  Meanwhile  let  me 
assure  you  that  this  unnerving  exoskeleton  really  does  amplify  power  just  like 
the  ads  promise.  I  had  no  idea  by  how  much  until  my  students  started  using  it 
on  big  jobs. 

CCS  works  fine  for  verifying  biscuit  machines.  It  is 
hopelessly  impractical  for  verifying  even  the  simplest 
distributed  spanning  tree  algorithm,  let  alone  the  more  complex 
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algorithm!  that  system  buildars  uaa.  Robin  Milner  raalizaa 
this  (I've  discussed  it  with  him),  but  many  of  his  disciples 
don't . 

You  could  get  both  Robin  and  me  to  agree  to  this,  much  as  perhaps  Robin 
and  certainly  I  would  agree  that  the  axiomatic  theory  of  vector  spaces  is  fine  for 
treating  sums  and  scalar  multiples  of  vectors,  but  is  hopelessly  impractical  for 
inverting  even  the  most  well-conditioned  matrices,  let  alone  the  ill-conditioned 
matrices  that  arise  in  transcontinental  surveys.  Surveyors  just  want  their  pro¬ 
grams  to  give  the  right  results,  their  passion  for  the  axiomatic  theory  of  vector 
spaces  rarely  exceeds  that  of  Leslie's  for  CCS. 

But  it's  important  for  mathematicians  to  realize  that  they’re 
not  scientists. 

This  is  indeed  the  popular,  standard,  and  authorized  view.  Nicolas  Good¬ 
man  makes  a  strong  argument  for  the  opposing  view  in  a  recent  article  entitled 
"Mathematics  as  Natural  Science,”  JSL  55(1)182-193  (March  1990). 

My  own  view  (I  do  hope  no  one  is  actually  paying  to  receive  this  stuff:-) 
strays  even  further  from  the  standard  than  Goodman's.  I  think  of  us  as  deal¬ 
ing  with  incoming  data  from  the  world  mainly  by  inventing  theories  through 
which  this  data  is  filtered  to  yield  predictions  about  the  world;  that,  mulatis 
mutandis  (important),  natural  selection  selects  for  those  theories  whose  pre¬ 
dictions  are  more  accurate;  and  (the  most  controversial  bit)  that  the  theories 
most  successful  at  predicting  are  sufficiently  like  the  most  successful  theories  of 
pure  mathematics  that  the  latter  should  prove  to  have  good  survival  value  while 
the  former  could  with  little  violence  be  turned  into  respectable  mathematics. 
The  controversial  bit  has  the  merit  that  both  directions  are  in  principle  testable 
given  suitable  advances  in  AI  and  brain  mapping  respectively. 

A  theory-of- everything  is  generally  good  for  nothing... 

For  computer  science,  the  real  sorld  usually  consists  of 
computers  (hunks  of  sire  and  silicon)  executing  programs. 

It  has  not  escaped  the  attention  of  some  contributors  to  concurrency  theory 
that  it  is  starting  to  look  like  a  "theory  of  everything.”  This  is  the  result  of 
abstracting  away  wire,  silicon,  and  programs  to  leave  a  set  of  abstractions  that 
could  as  readily  be  applied  to  the  interactions  of  galaxies  of  stars,  swarms  of  bees, 
and  rioting  soccer  fans  as  to  processes  communicating  via  ethernets,  IP/TCP, 
and  remote  procedure  calls. 

However  concurrency  theory  is  only  a  ”  theory  of  everything’  in  the  same 
sense  that  number  theory  and  group  theory  are  "theories  of  everything.”  Just 
as  number  theory  is  more  than  the  theory  of  counting  sheep  and  beans,  and 
group  theory  more  than  a  means  of  proving  that  quintics  don’t  have  solutions 


34 


expressible  in  radicals,  so  is  concurrency  theory  more  than  the  theory  of  what 
concurrent  "hunks  of  wire  and  silicon”  do. 

There  are  then  two  roads  one  may  follow  here,  the  conservative  and  the 
liberal.  The  conservative  road  requires  keeping  wire  and  silicon  in  mind  as  the 
ultimate  domain  of  application  of  concurrency  research.  The  liberal  road  re¬ 
places  "computer  science”  by  "information  science”  and  seeks  instead  a  theory 
of  information  processing  that  will  turn  out  to  be  applicable  to  information  pro¬ 
cessors  in  general,  whether  dumb  like  galaxies,  smart  like  bees  and  computers, 
or  brilliant  like  us  (pats  all  round). 

I  am  most  interested  in  the  liberal  road  because  it  seems  to  me  that  the 
techniques  of  both  computer  science  and  engineering,  provided  they  are  not 
artificially  constrained,  should  turn  out  to  be  broadly  applicable. 

For  example  today's  factory  designers  have  only  relatively  primitive  tools  to 
help  them  develop  a  design  on  line,  test  it  out  to  get  a  better  feeling  for  how 
well  it  might  work  in  practice,  turn  it  into  a  detailed  blueprint  for  a  factory, 
and  make  it  the  basis  both  for  the  ongoing  operation  and  maintenance  of  the 
factory  and  for  future  modifications  and  redesigns. 

The  analog  of  this  scenario  for  software  systems  is  much  further  along, 
though  it  too  has  far  to  go  or  software  research  would  have  nothing  left  to 
do.  There  is  no  reason  why  the  foundations  of  the  latter  should  not  also  prove 
to  be  equally  useful  foundations  for  the  former.  If  this  is  the  case  then  the  tax¬ 
payers'  research  dollars  are  spent  more  efficiently  by  working  out  concurrency 
theory  so  as  to  fully  realize  its  benefits  in  all  domains  to  which  it  is  applicable. 

I  want  very  badly  to  follow  the  liberal  road.  My  big  problem  has  always 
been  that  I  don’t  know  how  to  write  a  good  program  until  I  understand  the 
theory  of  what  that  program  is  about.  Hence  my  current  preoccupation  with 
theory.  This  is  now  well  along  however,  and  I  hope  to  be  able  to  start  designing 
and  implementing  soon.  I’m  hoping  that  many  of  Leslie’s  excellent  ideas  will 
prove  useful  in  aspects  of  this  work. 

Vaughan  Pratt 


To:  concurr6ncyCtheory.lcs.Bit.edu 
Fro*:  Luca  Aceto  <lucaCcogs.sussex.ac.uk> 

Subject:  Two  papers  on  begin-end 
Date:  Mon,  19  Vov  90  14:20:31  GMT 

In  the  debate  on  "True  Concurrency  vs.  Interleaving"  on  the  concurrency 
mailing  list  some  of  the  recent  messages  have  been  concerned  with  the  modeling 
of  the  behaviour  of  concurrent  systems  under  the  assumption  that  actions  have  a 
beginning  and  an  ending.  We  have  been  working  on  semantic  theories  for  process 
algebras  based  on  variations  on  the  above  idea  and  our  results  are  reported  in 
a  series  of  papers,  which  are  available  to  whoever  requests  them. 

L  Aceto,  M  Hennessy 
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Towards  Action  Refinement  in  Process  Algebras 
Luca  Aceto  and  Matthew  Hennessy 
ABSTRACT 

We  present  a  simple  process  algebra  which  supports  a  form  of  refinement  of 
an  action  by  a  process  and  address  the  question  of  an  appropriate  equivalence 
relation  for  it.  The  main  result  of  the  paper  is  that  an  adequate  equivalence 
can  be  defined  in  a  very  intuitive  manner.  In  fact  we  show  that  it  coincides 
with  the  ”  timed-equivalence”  proposed  by  one  of  the  authors  in  [H88].  This 
is  a  bisimulation-like  equivalence  based  upon  the  idea  of  splitting  every  action 
into  two  sub-actions,  the  beginning  and  the  end.  For  the  language  which  we 
consider  this  equivalence  also  coincides  with  a  variation,  called  "refine  equiv¬ 
alence",  in  which  the  beginnings  and  endings  of  actions  with  the  same  name 
must  be  properly  matched. 

Reference:  [H88]  M.  Hennessy,  Axiomatizing  Finite  Concurrent  Processes, 
SIAM  Journal  on  Computing  17(5),  pp.  997-1017,  1988. 

Adding  Action  Refinement  to  a  Finite  Process  Algebra 
Luca  Aceto  and  Matthew  Hennessy 
ABSTRACT 

In  this  paper  we  present  a  process  algebra  for  the  specification  of  concur¬ 
rent,  communicating  processes  which  incorporates  operators  for  the  refinement 
of  actions  by  processes,  in  addition  to  the  usual  operators  for  communication, 
nondeterminism,  internal  actions  and  restrictions,  and  study  a  suitable  notion 
of  semantic  equivalence  for  it.  We  argue  that  action-refinements  should,  in  some 
formal  sense,  preserve  the  synchronization  structure  of  processes  and  their  ap¬ 
plication  to  processes  should  consider  the  restriction  operator  as  a  "binder”.  We 
show  that,  under  the  above  assumptions,  the  weak  version  of  the  refine  equiva¬ 
lence  introduced  in  [AH89]  is  preserved  by  action  refinement  and,  moreover,  is 
the  largest  such  equivalence  relation  contained  in  weak  bisimulation  equivalence. 
We  also  discuss  an  example  showing  that,  contrary  to  what  happens  in  [AH89], 
refine  equivalence  and  timed  equivalence  are  different  notions  of  equivalence  over 
the  language  considered  in  this  paper. 

Reference:  [AH89]  This  is  the  paper  mentioned  above. 


To:  concurrencyOtheory.lcs.ait.edu 

From:  roundsOcaen.engin.umich.edu  (Prof  Rounds) 

Subject:  can’t  resist  a  comment 
Date:  Hon,  19  lov  90  12:09:21  EST 

I’d  like  to  throw  two  cents’  worth  into  what  seems  to  be  one  of  the  best 
‘bulletin  board”  discussions  I’ve  seen  in  a  long  time. 
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I  agree  with  both  Leslie  Lamport  and  Vaughan  Pratt.  A  mathematical 
model  is  always  just  that;  it  represents  our  cognitive  abstraction  of  what  reality 
we  perceive.  The  theorems  true  in  the  model  make  predictions,  which  we  then 
reinterpret  in  the  real  world,  at  least  that  part  of  the  world  which  interests 
us.  The  best  models  simplify  and  constrain  reality  enough  so  that  they  make 
really  strong  predictions  (I  would  put  the  finite-state  machine  in  that  category.) 
Of  course,  in  a  particular  domain,  the  model  may  not  account  for  observed 
phenomena,  and  may  in  fact  be  contradicted.  If  one  wants  to  predict  these  new 
phenomena,  one  must  refine  the  mathematical  model.  This  process,  though 
painful  for  those  who  believe  in  the  old  model,  is  at  the  heart  of  scientific 
progress. 

The  preceding  paragraph  talked  about  science;  there  is  another  point  to 
make  about  engineering.  In  the  field  of  computers  we  have  the  unprecedented 
opportunity  to  create  real-world  systems  which  conform  to  our  mathematical 
perceptions.  So,  machines  were  designed  to  mirror  our  conception  of  digital 
computation;  programming  languages  help  us  express  mathematical  algorithms, 
and  so  forth.  The  fascinating  thing  about  concurrency  theory  is  that  it  seems  to 
be  on  the  fence  between  science  and  engineering.  We  can  use  it  to  "explain”  race 
conditions,  or  we  can  use  it  to  help  us  design  programs  (witness  CSP,  occam, 
and  the  transputer.)  Of  course  this  was  true  about  computability  theory  itself 
in  the  30s  and  40’s.  Witness  the  creation  of  the  stored- program  machine  to 
embody  the  Universal  Turing  machine. 

One  other  nice  thing  about  mathematical  models  is  that  they  port  them¬ 
selves  into  other  domains  of  applicability.  About  4  years  ago  I  was  working 
with  a  graduate  student,  Bob  Kasper,  on  some  problems  in  natural  language 
processing.  The  problem  involved  specifying  disjunctive  information  in  record- 
like  structures  -  more  or  less  like  variant  record  types  are  specified  in  Pascal. 
We  saw  a  simple  way  to  understand  and  to  implement  a  system,  using  extremely 
basic  notions  from  concurrency  theory.  Essentially  one  views  a  complex  record 
as  a  transition  system.  The  states  are  the  individual  nodes,  and  the  transitions 
are  the  field  designators.  Then  the  simple  logic  of  Hennessy  and  Milner,  or 
the  simplest  possible  subcase  of  deterministic  PDL,  becomes  a  way  of  declaring 
record  types.  Once  this  is  seen,  there  are  a  lot  of  ways  to  reinterpret  the  con¬ 
cepts  of  concurrency  in  data  types.  I’ve  been  using  the  notions  of  Smyth  and 
Hoare  powerdomains,  along  with  Aczel’s  non-wellfounded  set  theory,  for  exam¬ 
ple,  to  help  understand  and  design  so-called  complex  objects  in  object-oriented 
databases.  Notice  that  Aczel’s  work  came  from  an  attempt  to  provide  a  proper 
mathematical  foundation  for  SCCS! 

The  point  of  this  last  experience  is  that  one  should  always  keep  an  open 
mind,  especially  where  mathematical  models  are  concerned. 

Bill  Rounds 


To :  concurr encyCtheory .  lcs .  mit .  edu 
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From:  Haim  Gaifman  <hgl79cunixd.cc. Columbia. «du> 

Subject:  Lamport  on  Spinoza,  Science  and  related  matters 
Date:  Non,  19  lov  90  19:39:10  EST 

This  is  rather  a  belated  reaction  to  some  of  the  claims  made  in  the  ex¬ 
change  that  has  started  with  Leslie  Lamport’s  message  of  November  7  ("Flame 
etc.")  While  Lamport's  observations  concerning  Aristotles,  Kant  and  Spinoza 
are  marginal  to  the  real  issues  of  the  debate,  at  least  one  point  needs  correction: 

"  ...  and  Spinoza  proved  that  there  can  be  at  most  seven  planets.” 

As  a  matter  of  fact,  Spinoza  never  proved  ’  that  there  can  be  at  most  seven 
planets.  Lamport  is  probably  confusing  Spinoza  with  Hegel  (who  lived  two 
centuries  later).  Somewhere  in  Hegel’s  dissertation,  so  the  story  goes,  is  buried 
an  argument  purporting  to  show  that  the  number  of  planets  should  be  seven. 

Perhaps  the  difference  between  Spinoza  and  Hegel  does  not  mean  much  to 
Lamport.  After  all,  they  were  both  philosophers,  that  is  to  say  vaporizing 
theoreticians  making  ridiculously  unfounded  claims.  But,  as  a  scientist,  he 
should  have  gotten  his  facts  straight. 

As  to  the  debate  itself: 

If  A  claims  to  have  done  something  that  B  has  proved  to  be  impossible,  then 
either 

(i)  there  is  an  errors  in  A’s  construction, 

or 

(ii)  there  is  an  error  in  B’s  proof, 

or 

(iii)  they  are  speaking  about  different  things. 

In  cases  (i)  and  (ii)  the  debate  can  be  clearly  decided;  the  errors  are  found, 
one  of  the  claims  (perhaps  both)  is  withdrawn  and  there  the  matter  ends.  But 
this  happy  state  of  affairs  is  mostly  a  privilege  of  mathematicians.  In  philosophy 
it  is  usually  the  third  case  that  obtains.  When  things  get  clarified,  it  turns  out 
that  the  real  issue  is  not  the  correctness  of  a  certain  proof,  but  the  correct  way 
of  defining  certain  notions,  or  of  setting  up  a  framework.  The  debate  is  about 
which  setup  is  more  intuitive,  illuminating,  fruitful,  efficient,  etc. 

It  appears  that,  in  this  respect,  many  computer  scientists  share  the  fate  of 
philosophers.  What  has  started  as  a  claim  for  a  contradiction  (”I  have  done 
something  that  somebody  proved  cannot  be  done”)  turns  out  to  be  a  claim 
about  the  relative  merits  of  trace  models  versus  partial  order  models. 

Lamport  is  certainly  entitled  to  the  view  that  the  methods  developed  by 
him  are  simpler  and  more  efficient,  for  the  purposes  of  analyzing  and  prov¬ 
ing  correctness  of  distributed  algorithms.  No  doubt,  he  can  produce  his  own 
impressive  work  as  an  argument  for  this  view.  The  claim  could  be  evaluated 
(certainly  not  by  me!)  in  a  matter  of  fact  way.  This  does  not  guarantee  that  the 
question  would  be  settled,  but  at  least  we  would  have  a  clearer  view  of  what  is 
involved.  Unfortunately,  he  has  got  this  bad  habit  of  philosophers  to  start  with 
an  imprecise  presentation  of  the  problem. 
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Another  bad  influence  of  popularized  philosophy  is  the  temptation  to  anchor 
one  s  views,  no  matter  what  the  subject  is,  in  some  major  principles;  in  the 
present  case  maxims  about  what  is  and  what  is  not  good  science  are  mobilized 
for  the  sake  of  the  argument: 

"Any  useful  scientific  theory  has  a  limited  domain  of 
application.  A  theory-of -everything  is  generally  good  for 
nothing . M 

In  one  sense,  this  is  a  sound  rule  of  thumb  that  one  would  hardly  wish  to 
quarrel  with:  The  more  phenomena  you  try  to  accommodate  the  more  likely 
you  are  to  get  an  impractical  system.  The  rule  has,  nonetheless,  some  spectac¬ 
ular  exceptions.  A  higher  level  description  that  encompasses  a  wider  range  of 
phenomena  might  be  more  efficient  then  a  narrower  view.  Every  mathematician 
knows  cases  in  which  generalizing  (hence  strengthening)  a  theorem  leads  to  a 
conceptually  clearer,  hence  easier,  proof  of  it.  From  an  Aristotelian  point  of 
view  Newtonian  physics  would  have  been  a  project  unlikely  to  succeed,  because 
it  tried  to  account  for  the  immense  variegated  domain  of  movement  phenomena 
by  few  simple  laws. 

As  a  general  prescription  for  science,  the  above  quote  goes  certainly  against 
the  grain  that  is  exemplified  by  great  scientists,  such  as  Newton,  Maxwell  or 
Einstein.  A  ” theory-of-everything”  is  the  elusive  goal  that  has  motivated  big 
scientific  enterprises.  What  else  is  the  point  of  the  reduction  of  chemistry  to 
physics,  or  of  finding  a  unified  field  theory? 

All  this  has  no  direct  bearing  on  whether  an  interleaving  model,  or  a  partial 
order  model,  or  some  other  abstract  model,  is  more  suitable  for  reasoning  about 
concurrent  processes.  But  in  trying  to  drag  in  general  philosophical  principles, 
Leslie  Lamport  seems  to  have  committed  himself  to  quite  a  narrow  perspective 
of  science,  it  is  rather  an  engineer’s  view  than  anything  else. 

Haim  Gaifman 


To:  concurrencyCtheory.lcs.ait.edu 

From:  Vaughan  Pratt  <prattCcs.Stanford.EDU> 

Subject:  Early  poaset  paper 
Date:  Sun,  25  Vov  90  12:25:32  PST 

If  there  are  any  historians  of  concurrency  theory  subscribing  to  this  forum 
they  might  be  interested  in  the  origins  (as  I  understand  them)  of  the  term 
”pomset.n 

The  terms  ” labeled  partial  order”  and  "partial  word”  had  been  used  pre¬ 
viously,  but  the  earliest  paper  I’m  aware  of  that  refers  explicitly  to  partially 
ordered  multisets  as  a  synonym  for  these  notions  is: 

CInProceedings ( 
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Pr82,  Author="Pratt ,  V.R.", 

Title="On  the  Composition  of  Processes", 
Booktitle="Proceedings  of  the  linth  Annual  ACM  Symposium 
on  Principles  of  Programming  Languages", 

Month= Jan,  Year=1982) 

However  I  had  not  at  that  time  come  up  with  the  contraction  ’’pomset.” 
This  term  was  first  advertised  in  a  talk  I  gave  on  Sept.  13,  1983  at  a  workshop 
whose  proceedings  however  were  not  published  until  1985: 

CInProceedings( 

Pr83,  Author="Pratt ,  V.R.", 

Title="Two-Vay  Channel  with  Disconnect", 

Booktitle=MThe  Analysis  of  Concurrent  Systems: 

Proceedings  of  a  Tutorial  and  Workshop,  LICS  207", 
Publisher=MSpringer-Verlag" ,  Year=1985) 

I  also  used  it  in  a  talk  I  gave  the  following  week  at  IFIP-83  in  Paris.  It 
appears  in  the  position  statement  I  circulated  at  that  panel,  a  hundred  or  so 
copies  of  which  were  distributed  to  the  audience: 

Wnpublished( 

Pr83b,  Author="Pratt ,  V.R.", 

Title*"Position  Statement", 

■ote="Circulated  at  the  Panel  on  Mathematics  of  Parallel 
Processes,  chair  A.R.G.  Milner,  IFIP-83", 

Month=Sep,  Year=1983) 

Now  that  I  look  at  it  again  it  seems  to  me  that  this  position  statement  is 
quite  clear  about  my  motivation  in  those  days  for  pomsets  and  how  I  thought 
they  should  be  used.  Since  it’s  reasonably  short  and  can’t  be  found  elsewhere 
I’ve  appended  it  below.  (My  apologies  for  it’s  being  in  Scribe,  this  was  what 
many  of  us  at  MIT  and  Stanford  used  back  then.  Just  read  the  raw  Scribe,  the 
only  obscurity  should  be  x®-[y],  the  Scribe  for  x,.  [Fixed  for  this  proceedings 
-vp]) 

The  cryptic  allusion  therein  to  a6|a6  and  N(a ,  a,  6,  b)  refers  to  the  fact,  found 
by  my  student  Jay  Gischer,  that  these  two  pomsets  are  language-equivalent. 
That  is,  regarded  as  language  operations  applied  to  languages  a  and  b  under 
the  evident  interpretation,  they  denote  the  same  language.  In  1982  Jay  in¬ 
dependently  came  up  with  the  partially  ordered  multiset  concept,  though  not 
by  that  name,  while  investigating  the  problem  of  completely  axiomatizing  the 
equational  theory  of  concatenation  and  shuffle  of  languages  which  I  had  posed 
to  him.  Jay  reduced  my  axiomatization  problem  to  the  question  of  whether  for 
any  two  N-free  pomsets,  language-equivalence  implied  isomorphism.  I  was  quite 
surprised  to  find  the  partially  ordered  multisets  of  my  POPL-82  paper  arising 
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so  naturally  in  connection  with  this  question  about  pure  interleaving  seman¬ 
tics.  Neither  Jay  nor  I  found  an  answer  to  this  question,  which  I  publicized 
(as  an  axiomatization  question)  on  various  occasions  during  1986-1988.  It  was 
eventually  solved  in  1988  by  Steve  Tschantz,  an  algebraist  at  Vanderbilt,  in 

OUnpublished( 

Tsch,  Author="Tschantz,  S.T.” , 

Titls=”Languages  under  concatenation  and  shuffling  (preliminary)”, 
Iote=”Manuscript ,  Department  of  Mathematics,  Vanderbilt 
University”, 

Month=Jun,  Year=1988) 

Steve  independently  discovered  the  same  reduction  of  the  axiomatization 
problem  to  the  question  about  language-equivalence  of  N-free  pomsets,  which 
he  answered  affirmatively  by  an  ingenious  argument.  Luca  Aceto  subsequently 
applied  Tschantz  s  theorem  to  infer  the  surprising  result  [correspondence,  Apr. 
1989]  that  timed-equivalence  coincides  with  trace-equivalence  for  the  language 
P  ■■■=  0  |  a  I  p;p  I  p\p. 

Since  1983,  starting  with  my  LOP-85  paper 

CInProceedings( 

Pr85,  Author= "Pratt ,  V.R.”, 

Title="Some  Constructions  for  Order-Theoretic  Models  of 
Concurrency”,  Booktitle=”Proc.  Conf .  on  Logics  of  Programs, 

LICS  193”,  Address=”Brooklyn”,  Publisher=”Springer-Verlag” , 
Pages=”269-283” ,  Year=1985), 

which  turned  into 

€Article( 

Pr86,  Author* "Pratt,  V.R.", 

Title="Modeling  Concurrency  with  Partial  Orders", 

Journals  "International  Journal  of  Parallel  Programming”, 
VolumeslS,  lumbersl,  Pages="33-71",  MonthsFeb,  Year=1986), 

my  thoughts  on  the  appropriate  combinators  for  pomsets  have  shifted  from 
the  network  emphasis  in  my  POPL-82  paper  and  IFIP-83  statement  to  a  more 
arithmetic  kind  of  language  in  which  pomsets  are  added  and  multiplied  (and 
these  days  exponentiated,  whose  relevance  to  concurrency  I  did  not  appreciate 
in  1985).  Nowadays,  at  my  student  Roger  Crew’s  prodding,  I  regard  network 
combination  as  merely  one  of  several  variants  of  addition. 

Vaughan  Pratt 
lov .  25,  1990 
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APPENDIX — IFIP-83  STATEMENT 
IFIP-83  -  Panel  on  Mathematics  of  Parallel  Processes 
Position  Statement 
V.  R.  Pratt 
Stanford  University 
September,  1983 

Abstract.  The  notion  of  function  as  a  set  of  ordered  pairs  is  mathematically 
appealing  but  not  quite  rich  enough  for  modeling  processes.  Our  position  is  that 
it  suffices  to  generalize  ordered  pairs  to  pomsets  (partially  ordered  multisets)  to 
obtain  a  satisfactory  notion  of  process. 

Functions.  A  function  abstracts  the  essence  of  stimulus-response:  it  collects 
all  possible  stimuli  and  pairs  each  with  a  corresponding  response.  Furthermore 
functions  obey  the  principle  of  behavioral  extensionality:  two  functions  with 
the  same  set  of  stimulus-response  pairs  are  considered  not  merely  behaviorally 
equivalent  functions  but  in  fact  the  same  function.  These  two  attributes  are 
captured  simultaneously  in  defining  a  function  from  A  to  B  to  be  a  subset  of 
Ax  B  (with  additional  conditions  when  being  single- valued  and  total  matters). 

Processes.  Processes  are  like  functions  in  some  respects.  Processes  accept 
stimuli  and  emit  responses.  And  behavioral  extensionality  is  just  as  natural  for 
processes  as  for  functions. 

A  process  is  not  however  an  ordinary  function.  It  may  for  example  respond 
to  each  of  a  series  of  numeric  inputs  with  the  sum  of  all  inputs  to  date;  this  is 
the  behavior  of  a  cumulative  "function,”  which  is  not  really  a  function  since  it 
takes  memory  to  keep  a  running  sum. 

Functions  on  Histories.  A  process  can  be  made  a  function  if  the  domain  is 
taken  to  be  sequences  of  stimuli  instead  of  individual  stimuli.  That  is,  a  process 
may  be  defined  to  be  a  function  from  histories.  It  is  natural  to  then  take  the 
codomain  to  be  histories  as  well,  i.e.  a  process  is  a  function  on  histories. 

This  definition  is  the  basis  for  the  semantics  of  parallel  processes  given  at 
IFIP  74  by  G.  Kahn  [K],  and  elaborated  on  at  IFIP  77  by  Kahn  and  D.  Mac- 
Queen  [KM].  This  definition  works  well  for  deterministic  processes. 

The  Nondeterminism  Anomaly.  In  1978  D.  Brock  and  VV.  Ackerman  ex¬ 
hibited  an  anomaly  demonstrating  that  the  straightforward  extension  of  Kahn- 
MacQueen  semantics  to  nondeterministic  processes,  namely  relations  on  histo¬ 
ries,  did  not  yield  sensible  behaviors  [BA].  They  identified  the  problem  as  a 
lack  of  information  about  the  relative  timing  of  individual  input  and  output 
events.  The  Kahn-MacQueen  model  did  not  specify  any  interleaving  informa¬ 
tion  between  input  and  output  histories.  Brock  and  Ackerman  noted  that  a 
little  additional  information  of  this  sort  sufficed  to  dispose  of  the  anomaly  at 
hand. 

Our  Position.  We  consider  the  Brock-Ackerman  fix,  appropriately  formal¬ 
ized  [Pr],  to  provide  a  very  attractive  model  of  processes.  Before  defining  this 
model  we  introduce  the  notion  of  partially  ordered  multiset  or  pomset. 

Pomsets.  A  pomset  on  a  set  A  is,  up  to  isomorphism,. a  structure  ( U ,  L,  <) 
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consisting  of  an  underlying  set  if  ,  a  labelling  function  L  :  C  —  .4,  and  a  partial 
order  <  on  if. 

The  labels  supply  the  elements  of  the  pomset.  The  same  label  can  be  reused, 
hence  multiset  rather  than  set.  Pomsets  are  defined  only  up  to  isomorphism  (of 
structures)  because  the  identity  of  the  underlying  set  is  unimportant;  only  the 
labels  (the  real  multiset  elements)  and  the  order  matter. 

Main  definition.  A  process  on  a  set  E  is  a  set  of  pomsets  on  E. 

Intended  Interpretation.  E  is  a  set  of  events.  Each  pomset  of  events  is 
one  of  the  possible  computations  of  the  process.  The  order  on  each  pomset  is 
that  of  necessary  temporal  precedence;  the  order  of  the  events  in  a  computation 
need  not  be  completely  specified. 

Contrast  with  Functions.  A  function  is  a  set  of  totally  ordered  double¬ 
tons.  This  definition  exposes  three  differences  between  functions  and  processes: 
the  dropping  of  the  cardinality  requirement  that  each  element  of  a  function 
have  two  elements,  the  switch  from  sets  to  multisets,  and  the  switch  from  a 
total  order  to  a  partial  order. 

The  cardinality  change  is  motivated  by  the  ongoing  nature  of  a  process: 
many  events  may  need  to  be  considered  as  part  of  a  single  computation.  Multi¬ 
sets  are  needed  because  an  event  may  be  repeated,  e.g.  the  arrival  of  the  number 
3.  Partial  orders  are  preferred  over  total  because  it  is  not  always  natural  to  to¬ 
tally  order  events  -  consider  for  example  two  communicating  processes  on  Earth 
and  Saturn  respectively,  each  running  at  nanosecond  speeds. 

Inadequacy  of  Total  Orders.  The  use  of  total  rather  than  partial  orders 
enjoys  some  currency  in  modeling  parallel  processes  [H][Pn].  However  there  does 
not  appear  to  be  a  natural  way  of  using  total  orders  to  distinguish  the  following 
two  ways  in  which  two  a’s  might  precede  two  b’s. 

a  a  a  a 

1  I  l\  I 

I  I  I  \  I 

I  ll\l 

b  b  b  b 

Thus  not  only  are  total  orders  unnatural,  they  are  not  an  expressively  ade¬ 
quate  substitute  for  pomsets. 

Examples.  The  above-drawn  pomsets  together  form  a  two-element  process. 
Any  n-ary  relation  (hence  binary  relation,  and  hence  function)  is  a  process  if 
each  n-tuple  in  the  relation  is  regarded  as  a  totally  ordered  set.  A  power  set 
is  a  process  if  each  element  is  regarded  as  a  set  with  the  empty  partial  order. 
The  power  set  C  of  a  power  set  3  is  a  process  if  each  element  of  C  is  regarded 
as  ordered  by  inclusion  on  B:  event  e  necessarily  follows  event  d  just  when  e  is 
d  with  some  additional  elements  -  the  process  makes  progress  by  accumulating 
elements  and  distinct  accumulations  leading  to  the  same  subset  are  (in  this  case) 
considered  the  same  event. 
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Spatial  Localization.  In  order  to  put  processes  in  communication  with 
each  other  it  is  helpful  to  know  where  their  events  are  taking  place  (cf.  [VV], 
P-64).  We  define  an  event  space  to  be  a  Cartesian  product  C  x  D,  consisting 
of  spatial  events.  The  intended  interpretation  is  that  C  is  a  set  of  channels  or 
places  (cf.  [B])  where  the  events  may  be  found  and  D  the  set  of  data  that  may 
be  sent  over  the  channels  of  C.  A  spatial  process  is  a  process  on  an  event  space. 

Nets,  A  net  is  a  process  P  on  C  x  D  having  constituent  processes  Pi, . . . ,  P„ 
on  Ci  x  x  D  respectively.  Process  P,  is  a  constituent  of  P  just  when 

there  exists  a  function  a,  :  C,  —  C  determining  a  projection  A,  :  P  —  P*. 
(a,  gives  the  attachment  of  the  channels  (i.e.  ports)  of  P,  to  the  channels  of 
the  net.)  The  projection  A,  is  determined  from  a,  by  taking  Ai(p)  to  be  the 
multiset  {(c,  d)|(aj(c),  d)  £  p}.  Order  is  preserved,  that  is,  (c,  d)  <  (</,<!')  in 
Ai(p)  iff  (ai(c),d)  <  (a,(e'),d')  in  p.  (Note  that  A,  need  not  be  onto,  i.e.  it  is 
not  required  that  P,  equal  A,(P),  only  that  it  include  it.) 

Process  Composition.  Processes  are  composed  to  form  a  new  process  in 
two  steps:  given  the  processes  Pi  with  corresponding  attachments  ai  :  Ci  — >  C 
for  i  from  1  to  n  -  1,  the  maximum  (under  set  inclusion)  net  P  having  those 
processes  as  constituents  is  formed,  and  then  an  additional  attachment  an  : 
Cn  — *  C  is  used  to  determine  the  projection  An  :  P  —  Pn.  The  result  is  An(P). 
The  n  attachments  themselves  can  thus  be  seen  to  determine  an  (n  —  l)-ary 
operation  on  processes. 

Example.  Ordinary  composition  of  binary  relations  on  D  is  determined 
by  Ci  =  C2  =  C3  =  {0,1},  C  =  {0,1,2}  with  ai(c)  =  c,  02(c)  =  cf  1,  and 
03(c)  =  2c.  In  this  net  Px  and  P2  are  composed  to  yield  P3.  This  is  of  course  a 
particularly  simple  example. 
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To :  concurr encyCtheory . Ics . mit . edu 
From:  Eike  Best  <gmdzi ! eikeCrelay . eu.net> 

Subject:  Re:  Zeno  machines 
Date:  Wed,  2  Jan  91  16:07:24  -0100 

In  a  message  shortly  before  Christmas,  Vaughan  Pratt  writes: 

»MProbably  the  earliest  mention  of  partial  orders 

»in  respect  to  concurrency  is  in  Irene  Greif’s  Thesis  of  1975..." 

(quote  from  memory). 

Claim: 

Partial  ordering  ideas  have  been  around  at  least  since  the  mid-sixties. 

A  fairly  extensive  formal  discussion  of ’’occurrence  graphs”  (special  partial 
orders  of  the  type  I  will  describe  below)  and  "occurrence  systems”  (sets  of 
occurrence  graphs)  is  in: 

A. W. Holt:  Final  Report  of  the  Information  System  Theory  Project.  Techni¬ 
cal  Report  RADC-TR-68-305,  Rome  Air  Development  Center,  Grifiss  Air  Force 
Base,  New  York  (1968). 

Or  compare  A. W. Holt:  Events  and  Conditions,  Project  MAC  Conference 
(1970): 

”Two  ...  occurrences  are  ordered  if  they  are  connected  by  a  directed  path. 

They  are  then  ordered  in  the  sense  of  the  path .  if  (two  events)  are  not 

ordered  with  respect  to  one  another,  (then  they  are)  concurrent 

Or  from  Suhas  Patil’s  PhD  Thesis  (Coordination  of  Asynchronous  Events, 
MIT,  June  1970): 

”...The  events  corresponding  to  the  nodes  which  are  ordered  must  occur  in 
that  order  but  the  events  corresponding  to  nodes  which  are  not  ordered  may 
occur  concurrently  ” 
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